Beruflich Dokumente
Kultur Dokumente
Hammamet
Abstract—Although the Web, cell phone ‘apps’ and cloud the strongest lines of defence against ongoing information
computing put a world of information at our fingertips, that threats; it has been demonstrated that a high-level of ISA can
information is under constant threat from cyber vandals and reduce information risks and increase the efficiency of
hackers. While awareness of information threats is growing in information security performances [7].
the Western world, in places like Saudi Arabia, information
Although this is generally well-understood, some countries,
security is very poor. Unlike Western pluralistic democracies,
Saudi Arabia is a highly-censored country, with a patriarchical
particularly those which are highly-censored, such as Saudi
and tribal culture, which may influence its poor information Arabia, do not appear to have understood either the
security rating. This paper examines the level of information devastating risks of information security threats or the
security awareness (ISA) among the general public in Saudi importance of ISA. Indeed, Saudi Arabia has among the
Arabia, using an anonymous online survey, based on highest levels of Information Security risk. This paper aims
instruments produced by the Malaysian Cyber Security to understand the relationship between high risk level and
Organization and KPMG. The survey attracted 633 ISA in Saudi Arabia.
respondents and the results confirmed that ISA in Saudi
Arabia is quite low. Several of the areas of weakness in ISA II. BACKGROUND OF STUDY
appear to be related to the level of censorship or the Information is now regarded as a valuable commodity; in
patriarchical and tribal nature of Saudi culture. fact, the entire world finance sector is almost entirely
involved in processing and transferring information.
However, this valuable commodity is under constant threat
Keywords-Information security, Information security of attack. Information threats can be broadly categorised as
awareness, Information systems, Information security natural disasters e.g. floods, fires, earthquakes, or human
management. attacks e.g. malware attacks, hacking or other intrusions, and
I. INTRODUCTION denial of service (DoS) attacks [3]. The risk of natural
disasters can be mitigated by storing redundant copies of
The World Wide Web, mobile computing, and Cloud information in widely dispersed locations so that the risk of
Computing have changed the world, providing a wide range all copies being destroyed or damaged is incredibly low.
of information, anytime and anywhere [1]. However, the
developments of such technologies also allows new It is the human attacks that pose the greatest risk because
techniques for abusers to misuse or destroy information [2]. these attacks are intentional and the mechanisms for
These “cyber vandals” can illegally access or destroy online conducting such attacks become more sophisticated every
information using techniques such as malware programs (e.g. day. Moreover, human attacks typically rely on some other
viruses, trojans and worms), hacking or denial of service unsuspecting human agent to allow the attack. Malware
(DoS) attacks [3]. attacks rely on people opening email attachments or using
contaminated portable devices, such as USB drives, on
To overcome these threats, it is essential for both information multiple computers. Hackers rely on people leaving
providers and information users to have good information computers with no or inadequate passwords. DoS attacks use
security practices, which can be defined as ensuring the computers unprotected by firewalls as intermediaries to send
availability, integrity and confidentiality of information [4], billions of bogus transactions to a targeted computer, thereby
[5], [6]. However, before Information Security practices denying it the processing power or the communications
become routine, there must be an appropriate level of bandwidth to carry out its intended purpose.
Information Security Awareness (ISA), which refers to a
state in which information users are aware of the information To reduce the incidence and severity of human attacks, it is
risks and understand the power of both physical and non- necessary to raise the level of ISA within a specific
physical information security [7], [8]. ISA has become one of organisation or in the general public. Information security
7
making all questions optional as they believed that many
Saudis would simply stop answering the questions if they
encountered a compulsory question that they did not want to
answer. The survey questions were then uploaded to Survey
Monkey with all questions being optional.
To ensure the high response rate, the researcher distributed
an online link to the survey using popular Saudi educational
and business websites and forums. This worked well,
resulting in 462 responses from adults.
IV. RESULTS
Although there were 462 participants in this study, the
number of responses to each question varied significantly
because all of the questions were optional (as explained
above). An inspection of the data does not suggest that there
is any systemic reason for non-completion i.e. no particular
group of respondents chose not to answer particular sets of
questions. Even although the non-response rate was
FIGURE 1: Highly-Censored Countries Grouped by Type of Filtering [11]
sometimes as high as 40%, there were still over 300
respondents for every question, which is sufficient for the
While Saudi Arabia’s tribes are no longer hostile to one purposes of this research. However, the non-response rate
another, a person’s tribe is still seen as a source of security itself is interesting; given the high level of censorship of the
[14], [15]. This strong tribalism may also have a direct Internet in Saudi Arabia, it is possible that Saudis are not
effect on the level of ISA. familiar with online surveys or the expectation that all
questions should be answered.
However, there is little or no evidence in the literature of
any previous studies of the level or causes of ISA among the Responses are in 2 main groups: information security issues,
Saudi general public. So, this research addresses the and preferences for information dissemination.
questions: (1) is there a relationship between the high risk
A. Information Security Issues
levels in Saudi Arabia and the level of ISA among the
general population? (2) does the level of ISA depend on The first question asked if respondents physically secured
Saudi Arabia’s highly-censored, patriarchical, tribal culture? their portable devices (e.g. laptops, mobile phones etc).
(3) what mechanisms might help address low levels of ISA? Only 29% of 462 respondents indicated that they kept their
portable devices in secure places all the time. A further
III. METHODOLOGY 43.1% of respondents sometimes keep their devices secure,
While our understanding of ISA in Saudi Arabia is very and 22.7% of respondents never keep their devices secure,
poor, the concept of ISA is well-defined in the literature and so there is a surprising lack of care for these devices and the
several excellent survey instruments exist for assessing ISA. information that they contain.
Moreover, this study seeks to gather data from as large a The second question asked if respondents secured their
sample of the Saudis as possible, so a survey is an ideal data devices using login passwords. Table II shows 55.2% of
gathering technique [16], [17]. An online survey is respondents used passwords to login into their devices but
particularly effective over long distances and is well-suited 39.7% do not. This makes them more prone to DoS attacks.
to Saudi culture because women in Saudi Arabia can not
speak to men who are not relatives. Consequently, an online Hackers have many tools and techniques for guessing or
survey can gather a large sample of both men and women in cracking passwords, including social engineering. Short or
a short time without any ethical problems. weak passwords or passwords that contain personal
identification such as name or date of birth allow vandals to
The survey questions were selected from instruments crack passwords easily. However, strong passwords of more
developed by the Cyber Security Organization in Malaysia than 8 characters, including a mixture of numbers, upper
and Klynveld Peat Marwick Goerdeler (KPMG). All of the and lower case letters and special characters, are far more
survey questions from either survey were included unless difficult to crack and so can protect information from
they would have been inappropriate for the Saudi culture. unauthorized access or theft.
The questions in this research were semi-closed ended so Table III shows a comparison in some password practices
combine the advantages of closed-ended questions and between participants in Saudi Arabia and South Africa. It is
open-ended questions. The survey was translated into the clear that password practices in South Africa are stronger
Arabic language because the participants are all from Saudi than in Saudi Arabia. For example, 27.3% of respondents
Arabia. The initial survey was subjected to pilot testing by never change their password compared to 65.7% among
Saudis who were fluent English speakers to ensure both the Saudi Arabian participants.
validity of the questions and the accuracy of their translation
into Arabic. Pilot test participants strongly recommended
8
TABLE II: USE OF PASSWORDS TABLE IV: PASSWORD CHANGE
Do you have passwords for the following? (N =458) How often do you change your password? (N = 353)
Percent Count (N) Percent Count (N)
Daily 2.3 8
Login/ Switch On 55.2% 253
Weekly 2.3 8
Screensaver 7.2% 33
Monthly 8.2 29
Neither 39.7% 182
Quarterly 9.6 34
Annually 11.9 42
TABLE III: COMPARISON OF PASSWORD PRACTICES
Never 65.7 232
9
TABLE VI: AWARENESS OF INFORMATION THREATS TABLE VIII: SOFTWARE TYPES AND UPDATE
10
but over 50.7% also thought that newspapers would be This paper has suggested that the level of attacks may be
effective. The Web is particularly appropriate for Saudi due to a lack of ISA among the Saudi general public.
culture for two reasons. Firstly, the country is very large and
much of the population lives in relatively remote locations. It has also been suggested that the lack of ISA may be due
The Web provides distance education which addresses this to the highly-censored, patriarchical and tribal nature of
problem. Secondly, the Web is particularly suited to Saudi Saudi culture. A survey of 462 Saudis has confirmed that
women who could not go unaccompanied by a male. ISA is in fact very low and that a number of information
security risks may be related to Saudi culture. These include
the sharing of passwords which can be explained in the
context of the tribe. Similarly, the expectation that the
Table XI: ISA EFFECTIVE PROMOTIMG government or other information providers are responsible
for Information Security reflects the patriarchical Saudi
Which of the following mechanisms would be effective for learning culture.
about information security (N=412)
Count Count The frequency with which passwords were changed and the
Percent Percent
(N) (N) strength of passwords themselves supported the conclusion
Cartoon that the general public either does not know about
75.0% 309 16.3% 67
Web portals series recommended security procedures or simply chooses not to
Newspapers 50.7% 209 Books 14.8% 61 follow them. So, the paper has confirmed that ISA is low in
Advertisements 35.2% 145 Talks 14.1% 58 Saudi Arabia and this is almost certainly one of the causes
of the high level of Information Security attacks in that
Documentaries 30.3% 125 Magazines 13.1% 54
country. The next phase of this research will examine the IT
Billboard/
29.1% 120 12.1% 50 practices in Saudi Arabia to determine if Saudi IT
Posters Exhibitions
departments are aware of recommended practices and
E-Books/ e- Web based
Magazines
28.9% 119
games
8.7% 36 standards, if Saudi organizations have specialist IT security
Other 0.7% 3
staff and if Saudi IT practitioners are sufficiently qualified
Seminars 21.1% 87
in information security. The study has also shown that the
most appropriate methods of disseminating information
There are a number of interesting observations that can be about Information Security to the general public is via Web
made about these two questions. Firstly, the number of portals or via newspapers. Both of these mechanisms
respondents who used the “Other” option in the previous address the problems of distance and strict cultural controls
question which was about the sources that have been used to that apply to women.
learn about information security is only 21.8%. This means
that, apart from the 5 listed options, most respondents had
not used many other methods to find out about Information ACKNOLEDGMENT
Security. However, when presented with a larger set of The authors would like to thank to King Saud University in
information dissemination methods (Table XI) respondents
Saudi Arabia for their funding of the scholarship for this
found many of them useful. For example, 50.7% nominated
research.
newspapers as an effective medium (Table XI) but very few
included newspapers as an “Other” mechanism that they had REFERENCES
already used in the sources of learning about Information
Security question. The most likely reason for this [1] H. Afyouni, Database Security and Auditing: Protecting Data
Integrity and Accessibility.,Thomson Course, Canada, 2006.
discrepancy is that respondents believed that newspapers
could be effective but that they had not previously found the [2] R. Bragg, M. Ousley, and K. Strassberg, Network Security: The
information they required in newspapers. This is not Complete Reference, Coral Ventura, United States of America, 2004.
surprising as Saudi newspapers are highly conservative and [3] C. Easttom, Computer Security Fundamentals, Pearson Prentice Hall,
highly censored, so newspapers have probably paid scant United States of America, 2006.
attention to a problem that only affects the Web, which is a
[4] E. Turban, J. Wetherbe, and E. McLean, Information Security
major competitor to print media. Similarly, documentaries Technology for Management: Improving Quality and Productivity, 3rd
and billboard posters were far better represented in Table XI Edition. Wiley, United State of America, 1996.
(35.2% and 28.9%, respectively) than the 21.8% “Other” in
[5] W. Stallings, and L. Brown, Computer Security Principles and Practice,
the sources of learning about Information Security question. Pearson Education, United States of America, 2008.
Once again, the print and television media in Saudi Arabia
are not concerned about threats to online information. [6] M. Whitman, and H. Mattord, Management of Information Security,
Thomson Course Technology, Canada, 2008.
V. CONCLUSIONS AND FUTURE RESEARCH [7] M. Siponen, “A conceptual foundation for organizational: information
Saudi Arabia had the ninth highest incidence of Information security awareness”, Information Management & Computer Security,
vol. 8, 2000 pp. 31-41.
Security attacks in the world in 2008 and the seventh highest
in 2009 according to Kaspersky Lab; this is unusual, given [8] H. Kruger, L. Drvein, and T. Steyn, ”A vocabulary test to assess
its relatively small population and level of Internet adoption. information security awareness”, Information Management &
Computer Security, vol. 18, 2010, pp. 316-327.
11
[9] Kaspersky Security Bulletin,
http://www.kaspersky.com/reading_room?chapter=207716858, 2010,
accessed 09/02/2010.
[10] J. Green, and N. Karolidies, Encyclopedia of Censorship, Facts On
File, New York, 2005.
[11] R. Deibert, J. Palfrey, R. Rohozinski, and J. Zittrain, Access Denied:
The Practice Policy of Global Internet Filtering, The MIT Press,
London, 2008.
[12] Library of Congress – Federal Research Division, Country Profile:
Saudi Arabia, September 2008.
[13] M. Moaddel, “The Saudi public speaks: religion, gender, and politics”,
International Journal of Middle East Studies, vol. 38, 2006, pp. 79-
108.
[14] H. Alhagil, Treasure lineage and Arts Complex, Saudi National House,
Riyadh, 2001.
[15] A. Alothimin, History of Saudi Arabia, Obekan Ltd., Riyadh, 2009.
[16] J. Creswell, Research design: Qualitative, quantitative, and mixed
method approaches, Sage Publications, California, 2003.
[17] D. Hancock, and B. Algozzine, Doing Case Study Research, Teachers
College Press, New York, 2006.
12