Measuring Awareness Business Information Systems

Measuring Awareness

Business Information Systems - Measuring Awareness

Measuring Awareness in the Organization

Theoretical Perspectives Measuring Awareness

Awareness Measuring Techniques

Managing Security As Part Of Efficient Awareness

Measuring Awareness Vs. Measuring Knowledge

Business Information Systems and Employee Awareness

Types of Training Necessary

Key Features of Awareness Program

Business Information Systems - Measuring Awareness

As businesses continue to become technologically advanced and operate in global contexts, more and more business information systems are used to streamline business processes and enable efficient communications and transactions between internal and external customers. Surprisingly in many cases business information systems are used inefficiently at best within the organization. Worse, improper use of business information system often results in security risks and threats to the well being of the organization and its employees.

The purpose of this research paper is an analysis of effective techniques for improving employee awareness regarding business information systems particularly with regard to security training. The aim is to evaluate a strategy for implementing a successful awareness program and identify the level of awareness necessary in a business environment. In addition the researcher will attempt to quantify how business information systems benefit organizations, how they are linked to organizational systems and how employee awareness factors into organizational competency and ultimately organizational success.

Background to the Problem

Only in recent years have researchers and organizations paused to consider the relevance employee awareness may have on business information systems (Coe, 2005). Lack of awareness within the organization at all levels may not only inhibit organizational efficiency, but may also compromise organizational security. Organizations are continually faced with increasing threats from hackers, viruses and even disgruntled employees that can circumvent internal security measures (Rasmussen, 2005). The best way for an organization to protect itself from security threats is to address threats directly by education employees and measuring employee awareness of business information systems and vital security measures in place to protect those system (Rasmussen, 2005).

Awareness also results in greater productivity, motivation to perform a job correctly and self-empowerment among employees (Coe, 2005). For these reasons and more organizations are attempting to measure and also quantify awareness of information systems within the organizational system.

Significance of Problem

Studies suggest that only slightly more than half of employees in companies large and small have a complete understanding and awareness not only of the functions of business information systems but also of security risks and procedures inherent with use of such systems (Coe, 2005). User error is to blame for 70% or more of problems business have with information technology (Coe, 2005). For this reason it is vital that organizations develop methods and techniques for not only measuring awareness but also tools for training employees to maximize efficiency and enhance security.

Literature Review

Measuring Awareness In The Organization

Coe (2005) suggests that only 60% of employees remember or are aware of their organizations computer security programs. A recent study released by the National Cyber Security Alliance confirmed this report suggesting that "more than a third of PC users thought they ha a greater chance of winning the lottery than being hit by malicious code" (Coe, 1).

Another survey by Ernst & Young reports that greater than 70% of organizations fail to raise employee awareness of business information systems as many do not see training as a top organizational initiative (Coe, 2005).

Unfortunately more than 72% of businesses are also at increased risk of infection and security attacks (Coe, 2005). Ongoing security training is vital to an organizations health and well-being.

Wood (2002) suggests that organization use online tools include free tools such as PentaSafe Security Technologies online Information Security Awareness Index to benchmark an organization's level of security and address any risks posed by lack of awareness (1). He notes that "human errors are the major cause of security breaches in organizations today" and suggests that organization must work to create stronger policies, define roles and responsibilities more clearly and manage security awareness to help business grow successfully and safely (Wood, 2002).

Some refer to the process of measuring awareness as an information audit (Dobson, 2001). This audit determines where information comes from in an organization, where it goes, how it is used, who manages and shares it and who may process information (Dobson, 2001). An information awareness or audit should be customized to an organization and focus on "awareness, relevance, usability and unmet needs" with respect to business information systems (Dobson, 2001). An organization may also need to assess how information moves within the organization (Dobson, 2001).

To adequately measure awareness an organization must first establish goals for its audit, identify individuals responsible for measuring information knowledge and provide them with background information regarding the organization, and then engage in awareness measuring techniques (Dobson, 2001).

Theoretical Perspectives Measuring Awareness

Currie & Galliers (1999) point out that when considering business information systems within organizations it is important that researchers determine what the theoretical and methodological approach to the examination of the issue at hand be. In order for research to be valid it must be "underpinned by theoretical and methodological approaches" where relevant (Currie & Galliers, 3). Thus one should approach awareness and the desire to measure it from a methodological or theoretical approach.

From a methodological perspective a researcher must first understand the basic social phenomena underlying a given situation. With regard to awareness the organization must first be able to define business information systems before an organization can measure awareness regarding this system (Currie & Galliers, 1999). Researching information systems involves examining political and organizational processes related to maintaining and sharing information and working with technology within the organization (Currie and Galliers, 1999).

From a theoretical perspective Currie & Galliers (1999) suggest that an information system works synergistically within an organization with the organization and information system having a "transformational effect on one another" (p.8). This means that one's compounds may react and impact one another. Information systems within an organizational context must "be studied, understand managed together not separately" (Currie & Galliers, 8). Measuring information technology inherently then also means measuring intellectual technology within the organization (Currie & Galliers, 1999).

There are a number of theoretical perspectives, which explore the relationship between information systems and organizational structure. Earl (1998) summarizes many of the principle positions which include the idea that (1) business information systems are central to organizational control, (2) business information systems decentralize organizational control, (3) organization and business information systems interact unpredictably and (4) within organizations information systems can enable new organizational arrangements including a networked organization (Earl, p. 6). Each of these ideas is influenced in some manner by employee awareness. For example, if business information's systems are central to organizational control then one can conclude that awareness of such systems are central to an organizations efficiency and profitability (Earl, 1998).

If business information systems decentralize the organizations structure, information should more easily be distributed to lower levels of the organization, empowering workers to make their own decisions when adequately aware of the information available through computer systems (Earl, 1998). Business information systems are most likely to react unpredictable when user error is common (Earl, 1998). However, an organization may intervene in this instance by measuring awareness of information systems and business processes to ensure employees are equipped with the tools necessary to succeed.

Awareness Measuring Techniques

There are multiple techniques an organization can use to measure awareness. The first are interviews, which help an organization primarily evaluate "information needs, staff responsiveness and attitudes" toward security and "information services in general" (Dobson, 2001). Interviews help managers track the methods employees use to share information and allow specific questioning that can help define gaps in knowledge (Dobson, 2001).

Focus groups are another method for measuring awareness (Dobson, 2001) that allow participants to interact and generate ideas in a team oriented environment. This technique often enables organizations to evaluate existing information systems, awareness regarding them and potential security breeches or gaps in knowledge among groups of employees (Dobson, 2001).

Surveys are yet another technique that provide quantifiable information regarding information systems organizations can use to benchmark processes (Dobson, 2001). The best surveys are those that incorporate short, simple questions (Dobson, 2001). Questions would be direct, clear and to the point.

Managing Security As Part Of Efficient Awareness

There are many types of business information system security programs organizations can implement. Examples include firewalls and anti-virus software; unfortunately security breaches occur even with these programs in place, often because organizations fail to recognize the human aspect of information security in the workplace (Wood, 2002).

An ideal security awareness program is one that will not only enable corporations to recognize threats but also respond to them in a timely fashion. Rasmussen (2005) suggests that awareness programs should start within senior management support within organizations. Employees should have access to security policies but also sign them to acknowledge their understanding and acceptance of them (Rasmussen, 2005).

Measuring Awareness Vs. Measuring Knowledge

It is vital that organizations understand the difference between measuring knowledge and measuring awareness in order to develop a successful organizational system. Awareness has been defined as conscious ideology of an issue or existence of broad subject matter (DTI, 11). This means not simply knowing about a subject but having the ability to interpret the subject and recognize the consequences of use of the subject. An individual must have some idea of the "working life to which an issue relates" in order to hold awareness of an issues (DTI, 10). Knowledge on the other hand requires "Theoretical or practical understanding of a subject" (DTI, 10). Knowledge suggests that an employee must demonstrate a clear understanding of the detailed provisions of a certain subject or situation (DTI, 11).

Using this interpretation it seems not enough that organizations evaluate employee awareness of issues, but rather than organizations must also test employee knowledge of business information systems. This is because by nature knowledge carries more weight and seems a stronger force than simple awareness. Employees may for example demonstrate that they are aware of a business information system but not have any knowledge of how it works or how it relates to the organizational system as a whole.

When measuring awareness and knowledge it is also vital for organizations to sue assessments other than a respondent's own assessment of their knowledge or awareness as such individual assessments may be tainted or not verifiable (DTI, 12). Rather, an organization should develop a systematic method of assessing awareness or knowledge to truly understand the level that employees understand a subject (business information systems) and can use it effectively (DTI, 12).

Business Information Systems and Employee Awareness

Relatively few studies have actually examined the relationship information systems and employee awareness of them have on organizational structure (Earl, 1998). There is however a growing interest by researchers and organizations alike to examine the relationship that exists between information technology systems and organizational structure (Earl, 1998).

Organizational structure however is "one of the key variables affecting how firm's strategies are implemented" thus analysis of organizational structure may be a critical determinant of organizational performance (Earl, 1998). An ability of a firm to compete depends on its ability to learn (Earl, 1998) which is in part a reflection of how aware employees are of organizational structure and how well they understand information technology and systems within the organization.

Types of Training Necessary

Studies suggest that the best way to overcome problems associated with business information failures is to train employees in best practices. Employees must not only understand the function of information systems and their relevance to the organization, but also must understand the risks associated with improper use or negligence. The best types of programs involve proactive intrusion prevention programs and systems, which include central security measures and employee awareness of security measures (such as antivirus software and firewalls) (Coe, 2005). Yet another study shows that "75% of organizations find that lack of user awareness damages security program's effectiveness' (Coe, 2). Employees and other end users are in fact an important link in the computer information system security process, yet many are unaware of this.

One way to mitigate concerns may be through creation of task forces which can include IT members, HR, marketing, internal communications and employees (Coe, 2005). These task forces can work on continuous improvement and ensure that employees are continually trained and informed of changes in information technology processes. Because the field of information management is so dynamic, changes, often within short intervals, are often inevitable. The more continuous improvement that exists, the more likely an organization is to successfully adopt efficient and productive business practices.

Key Features of Awareness Program

It is important that an awareness program is based on time tested procedures or processes. Organizations must decide what techniques and methods will work best for their organization based on a number of factors, including the industry the organization is in, the size of the organization, the organizational culture, the type of business information systems in use and the resources available to an organization (Coe, 2005).

For an organization to implement an effective awareness program it must first conduct an internal security audit so that management and security team members can gain insight into the current state of security awareness within an organization (Coe, 2005). This audit should review existing security policies, "the level or employee awareness" and any additional security systems in place (Coe, 3).

Other features of a successful program must include easy to understand computer use policies and enforceable ones (Coe, 2005). A policy must be incorporated into organizational culture and the environment and make use of any existing security force in place (Coe, 2005). Organizations should also work to garner feedback from employees regarding training, delivery method ad the perceived importance of a security program (Coe, 2005).

Employees must also become aware that business information systems are more than just technologically intelligent systems. There are many benefits employees and organizations stand to gain from using business information systems to their fullest. They are a "means to growing a business organization" and require among other things "vision, money and patience into their development and implementation" (Thierauf, 2001). A full understanding of information systems enable employees and managers to gain valuable insights regarding customers, transactions, suppliers and business functioning (Thierauf, 2001). Measuring awareness involves determining whether employees understand what steps are necessary to keep an organization functioning optimally in the present and in the future (Thierauf, 2001). It also entails gathering the necessary information to develop training programs that will result in a better understanding of knowledge, information and data in the organization necessary to manage the organization efficiently from day-to-day (Thierauf, 4).

Methods

Currie & Galliers (1999) propose a methodological approach to measuring awareness that entails eliciting factual information about social phenomena. From that perspective the researcher proposes using second order questions that are designed not simply to measure factual information however, but to put that information into conceptual context and clarify the subject rather than simply state facts (Currie & Galliers, 1999). The questions the researcher aims to answer in this study include whether measuring awareness offers companies competitive advantage and whether organizations understand the concept of measuring awareness and the potential security risks lack of awareness within an organization entails.