The 2nd International Conference on Communications and Information Technology (ICCIT): Digital Information Management,
Hammamet
A Study of Information Security Awareness and
Practices in Saudi Arabia
Abdulaziz Alarifi Holly Tootell
SISAT SISAT
University of Wollongong University of Wollongong
Wollongong, Australia Wollongong, Australia
aaa296@uowmail.edu.au holly@uow.edu.au
Abstract—Although the Web, cell phone ‘apps’ and cloud
computing put a world of information at our fingertips, that
information is under constant threat from cyber vandals and
hackers. While awareness of information threats is growing in
the Western world, in places like Saudi Arabia, information
security is very poor. Unlike Western pluralistic democracies,
Saudi Arabia is a highly-censored country, with a patriarchical
and tribal culture, which may influence its poor information
security rating. This paper examines the level of information
security awareness (ISA) among the general public in Saudi
Arabia, using an anonymous online survey, based on
instruments produced by the Malaysian Cyber Security
Organization and KPMG. The survey attracted 633
respondents and the results confirmed that ISA in Saudi
Arabia is quite low. Several of the areas of weakness in ISA
appear to be related to the level of censorship or the
patriarchical and tribal nature of Saudi culture.
Keywords-Information security, Information security
awareness, Information systems, Information security
management.
I. INTRODUCTION
The World Wide Web, mobile computing, and Cloud
Computing have changed the world, providing a wide range
of information, anytime and anywhere [1]. However, the
developments of such technologies also allows new
techniques for abusers to misuse or destroy information [2].
These “cyber vandals” can illegally access or destroy online
information using techniques such as malware programs (e.g.
viruses, trojans and worms), hacking or denial of service
(DoS) attacks [3].
To overcome these threats, it is essential for both information
providers and information users to have good information
security practices, which can be defined as ensuring the
availability, integrity and confidentiality of information [4],
[5], [6]. However, before Information Security practices
become routine, there must be an appropriate level of
Information Security Awareness (ISA), which refers to a
state in which information users are aware of the information
risks and understand the power of both physical and non-
physical information security [7], [8]. ISA has become one of
978-1-4673-1950-8/12/$31.00 ©2012 IEEE 6
Peter Hyland
SISAT
University of Wollongong
Wollongong, Australia
phyland@uow.edu.au
the strongest lines of defence against ongoing information
threats; it has been demonstrated that a high-level of ISA can
reduce information risks and increase the efficiency of
information security performances [7].
Although this is generally well-understood, some countries,
particularly those which are highly-censored, such as Saudi
Arabia, do not appear to have understood either the
devastating risks of information security threats or the
importance of ISA. Indeed, Saudi Arabia has among the
highest levels of Information Security risk. This paper aims
to understand the relationship between high risk level and
ISA in Saudi Arabia.
II. BACKGROUND OF STUDY
Information is now regarded as a valuable commodity; in
fact, the entire world finance sector is almost entirely
involved in processing and transferring information.
However, this valuable commodity is under constant threat
of attack. Information threats can be broadly categorised as
natural disasters e.g. floods, fires, earthquakes, or human
attacks e.g. malware attacks, hacking or other intrusions, and
denial of service (DoS) attacks [3]. The risk of natural
disasters can be mitigated by storing redundant copies of
information in widely dispersed locations so that the risk of
all copies being destroyed or damaged is incredibly low.
It is the human attacks that pose the greatest risk because
these attacks are intentional and the mechanisms for
conducting such attacks become more sophisticated every
day. Moreover, human attacks typically rely on some other
unsuspecting human agent to allow the attack. Malware
attacks rely on people opening email attachments or using
contaminated portable devices, such as USB drives, on
multiple computers. Hackers rely on people leaving
computers with no or inadequate passwords. DoS attacks use
computers unprotected by firewalls as intermediaries to send
billions of bogus transactions to a targeted computer, thereby
denying it the processing power or the communications
bandwidth to carry out its intended purpose.
To reduce the incidence and severity of human attacks, it is
necessary to raise the level of ISA within a specific
organisation or in the general public. Information security
policies and procedures are commonplace in most networks received 1.81% in 2009. However, Saudi Arabia
organisations, and seek to give employees clear guidelines on accounts for only 0.002 % of the internet users in the world,
what they should or should not do, thereby increasing the which is far less than the percentage of attacks they
security of corporate information. The general public, too, is experienced. In 2010 Saudi Arabia had nearly the same
becoming more aware of many information security threats. percentage of attacks 1.77%, which raises the question: why
However, that is not the case throughout the world as shown is Saudi Arabia so prone to attack? Furthermore, Trend
in Table I. Micro Smart Protection Network announced in September
2010 that Saudi Arabia has 421998 hacked computers,
In 2011, the Kaspersky Lab, a highly-respected information which was an increase of 65% in less than a year.
security specialist, reported the following statistics about
information security and targeted attacks around the world. Similarly, Semantic lab found that Saudi Arabia is the most
Table I represents 86.3% of the known information attacks spammed country in the world. In June 2011, there were
by country in 2009 and 82% in 2010. 39.2 billion spam messages sent. Saudi Arabia’s spam rate
TABLE I: INCIDENCE OF INFORMATION ATTACKS: THE
is 82.2% meaning that 82.2% of emails are spam. This is an
HIGHEST 20 COUNTRIES [9] almost unbelievable figure. Russia is the second most-
spammed country and China is the third.
2009 2010 What has caused this anomaly and is it related to either
No. Countries Attack No. Countries Attack % Saudi Arabia’s high level of legislation and censorship or
% their lack of data protection laws?
1 China 46.75% 1 China 19.05%
2 USA 6.64% 2 Russia 17.52%
Saudi Arabia is highly-censored country. Censorship can be
defined as the control of information and ideas circulated
3 Russia 5.83% 3 USA 10.54%
within a society by a censor [10]. As shown in Fig. 1, Saudi
4 India 4.54% 4 India 5.56%
Arabia is subject to all three of the major types of filtering
5 Germany 2.53% 5 Germany 3.16% [11], namely, political, social and security/conflict filtering.
6 Great 2.25% 6 Ukraine 2.66% However, censorship alone cannot explain the large number
Britain
of attacks in Saudi Arabia because Iran has the same types
7 Saudi 1.81% 7 Vietnam 2.60%
Arabia
of censorship and a far higher rate of Internet use than Saudi
Arabia but it doesn’t even rate in the top twenty countries
8 Brazil 1.78% 8 Great 2.56%
Britain for information attack. Perhaps it is some combination of
9 Italy 1.74% 9 France 2.55%
culture and censorship that makes Saudi Arabia prone to
attack. This paper focuses on exploring the reasons that
10 Vietnam 1.64% 10 Italy 2.39%
Saudi Arabia is so prone to information attack.
11 Mexico 1.58% 11 Spain 2.06%
12 France 1.49% 12 Saudi 1.77% Given our focus on Saudi Arabia, it is necessary to know a
Arabia little about the country and its people. Saudi Arabia is one of
13 Egypt 1.37% 13 Malaysia 1.62% largest countries in the Middle East with approximately 26
14 Turkey 1.23% 14 Turkey 1.60% million inhabitants, 99% of whom are Muslims. It is an oil
15 Spain 1.2% 15 Brazil 1.49% rich country and the income from oil subsidises a welfare
16 Ukraine 0.91% 16 Mexico 1.47% state controlled by the government, which is in turn
17 Canada 0.81% 17 Canada 1.31% dominated by the royal family, which numbers many
18 Malaysia 0.8% 18 Thailand 1.15%
thousands and controls most of the kingdom’s important
19 Thailand 0.76% 19 Poland 1.09%
posts [12]. The Islamic religion plays a huge part in Saudi
life and politics and all the decisions made by the king must
20 Kazakhstan 0.71% 20 Egypt 1.02%
be consistent with Islamic law. Saudis consider religion as
Total 86.37% Total 82%
the most important element of their identity [13]. The
Saudi’s interpretation of Islamic law severely constrains the
To understand these statistics we must realise that the roles of women, and the mixing of the sexes is actually
number of attacks will be, to some extent, dependent on the prohibited outside the family.
number of people using computers and having access to the The country is strongly patriarchical, which may affect the
Internet. Thus, Italy has more than double the attacks that level of ISA. Also, tribes are one of the most influential
Thailand does, even although they have similar populations. factors in Arab life especially in the Arabian Peninsula.
However, Italy has nearly double the rate of Internet use that Reflecting their Bedouin heritage, a person’s tribe offers
Thailand does, and so we would expect there to be more protection from other hostile tribes or foreigners.
attacks.
Once the rate of computer/Internet use is factored in, Saudi
Arabia has far higher rates of attack than its level of
computer/Internet use would suggest. Saudi Arabia

7

FIGURE 1: Highly-Censored Countries Grouped by Type of Filtering [11]
While Saudi Arabia’s tribes are no longer hostile to one
another, a person’s tribe is still seen as a source of security
[14], [15]. This strong tribalism may also have a direct
effect on the level of ISA.
However, there is little or no evidence in the literature of
any previous studies of the level or causes of ISA among the
Saudi general public. So, this research addresses the
questions: (1) is there a relationship between the high risk
levels in Saudi Arabia and the level of ISA among the
general population? (2) does the level of ISA depend on
Saudi Arabia’s highly-censored, patriarchical, tribal culture?
(3) what mechanisms might help address low levels of ISA?
III. METHODOLOGY
While our understanding of ISA in Saudi Arabia is very
poor, the concept of ISA is well-defined in the literature and
several excellent survey instruments exist for assessing ISA.
Moreover, this study seeks to gather data from as large a
sample of the Saudis as possible, so a survey is an ideal data
gathering technique [16], [17]. An online survey is
particularly effective over long distances and is well-suited
to Saudi culture because women in Saudi Arabia can not
speak to men who are not relatives. Consequently, an online
survey can gather a large sample of both men and women in
a short time without any ethical problems.
The survey questions were selected from instruments
developed by the Cyber Security Organization in Malaysia
and Klynveld Peat Marwick Goerdeler (KPMG). All of the
survey questions from either survey were included unless
they would have been inappropriate for the Saudi culture.
The questions in this research were semi-closed ended so
combine the advantages of closed-ended questions and
open-ended questions. The survey was translated into the
Arabic language because the participants are all from Saudi
Arabia. The initial survey was subjected to pilot testing by
Saudis who were fluent English speakers to ensure both the
validity of the questions and the accuracy of their translation
into Arabic. Pilot test participants strongly recommended
8
making all questions optional as they believed that many
Saudis would simply stop answering the questions if they
encountered a compulsory question that they did not want to
answer. The survey questions were then uploaded to Survey
Monkey with all questions being optional.
To ensure the high response rate, the researcher distributed
an online link to the survey using popular Saudi educational
and business websites and forums. This worked well,
resulting in 462 responses from adults.
IV. RESULTS
Although there were 462 participants in this study, the
number of responses to each question varied significantly
because all of the questions were optional (as explained
above). An inspection of the data does not suggest that there
is any systemic reason for non-completion i.e. no particular
group of respondents chose not to answer particular sets of
questions. Even although the non-response rate was
sometimes as high as 40%, there were still over 300
respondents for every question, which is sufficient for the
purposes of this research. However, the non-response rate
itself is interesting; given the high level of censorship of the
Internet in Saudi Arabia, it is possible that Saudis are not
familiar with online surveys or the expectation that all
questions should be answered.
Responses are in 2 main groups: information security issues,
and preferences for information dissemination.
A. Information Security Issues
The first question asked if respondents physically secured
their portable devices (e.g. laptops, mobile phones etc).
Only 29% of 462 respondents indicated that they kept their
portable devices in secure places all the time. A further
43.1% of respondents sometimes keep their devices secure,
and 22.7% of respondents never keep their devices secure,
so there is a surprising lack of care for these devices and the
information that they contain.
The second question asked if respondents secured their
devices using login passwords. Table II shows 55.2% of
respondents used passwords to login into their devices but
39.7% do not. This makes them more prone to DoS attacks.
Hackers have many tools and techniques for guessing or
cracking passwords, including social engineering. Short or
weak passwords or passwords that contain personal
identification such as name or date of birth allow vandals to
crack passwords easily. However, strong passwords of more
than 8 characters, including a mixture of numbers, upper
and lower case letters and special characters, are far more
difficult to crack and so can protect information from
unauthorized access or theft.
Table III shows a comparison in some password practices
between participants in Saudi Arabia and South Africa. It is
clear that password practices in South Africa are stronger
than in Saudi Arabia. For example, 27.3% of respondents
never change their password compared to 65.7% among
Saudi Arabian participants.
 TABLE II: USE OF PASSWORDS TABLE IV: PASSWORD CHANGE

Do you have passwords for the following? (N =458) How often do you change your password? (N = 353)
Percent Count (N) Percent Count (N)
Daily 2.3 8
Login/ Switch On 55.2% 253
Weekly 2.3 8
Screensaver 7.2% 33
Monthly 8.2 29
Neither 39.7% 182
Quarterly 9.6 34

Annually 11.9 42
TABLE III: COMPARISON OF PASSWORD PRACTICES
Never 65.7 232

Response South Africa Saudi Arabia

I never change my password 27.3% 65.7% TABLE V: INCIDENCE OF PASSWORD SHARING

I choose a simple and easy password 9.1% 45%

I share my password with others 0%
Also, there is a far higher level of choosing simple
passwords in Saudi Arabia (45%) than in the South African
study (with only 9.1%). Another alarming and surprising
result is that 35.8% of Saudis share their passwords with
others compared to 0% in South Africa.
Having a good password is still not enough to completely
secure information; passwords should be changed regularly.
Table IV shows the participants’ responses to the question,
“How often do you change your passwords?” Amazingly,
65.7% respondents have never changed their passwords. In
comparison, a South Africa study [8], reported that only
27.3% of respondents have never changed their passwords.
This is a major security risk for Saudi Arabia.
Tables III and IV suggest that Saudis are either unaware of
the value of strong passwords that are changed regularly or,
if they are aware of it, simply don’t see it as their
responsibility. This abrogation of responsibility is reflected
in later responses and may be associated with a patriarchical
society in which “those in charge” are responsible and
individuals are not. In either case it indicates a low level of
ISA. Even more alarming is that the data suggest that
systems administrators in Saudi Arabia are not aware of this
problem either; otherwise systems would automatically
force users to select strong passwords and to change those
passwords regularly.
The responses to the next question are the most alarming of
all. Table V shows that 35.8% of 363 respondents shared
their access passwords with their family members. ISA
research conducted in South Africa [8] suggests that
password sharing is close to 0%. However, the South
African study, reported that 22.7% of respondents would
share a password with a system administrator when it’s
2.8% in Saudi Arabia.
Who knows the password to your accounts or data: (N = 363)
35.8%
Percent Count (N)
Only by you 63.6% 231
35.8% 130
By family members
By a few colleagues 9.6% 35
By a system administrator 2.8% 10
This raises the question, why share with family members but
not with other responsible people outside the family. The
high-level intra-familial password sharing may be linked to
the Saudi’s tribal culture in which members of the tribe are
seen as trustworthy but those outside the tribe are not.
Regardless of the association with tribal culture, the security
risk associated with password sharing is serious. Indeed, it
hardly matters how strong your password is or how often
you change it if you give it away to others.
While we might expect most people to be aware of the
threat of viruses, there are a number of other less well-
known information security threats which may cause loss of
availability, integrity and confidentiality, such as malware,
hacking, intrusions and Denial of Service (DoS) attack ([3],
[2] .
Table VI compares responses from the current study and a
previous global study of respondents’ awareness of some of
the main information security threats. As expected,
awareness of virus attack was high, as was awareness of
spam emails. However, only 7.4% of 462 Saudi respondents
were aware of DoS attacks, compared to 56% of 333
participants in the global study. Phishing scam awareness in
Saudi Arabia is only 29.7% while it is 70% in the global
study. Only 25.5% of Saudi respondents were aware of the
risk of identity theft compared to 81% in the global study.
Faced with a number of different information security
threats, a wise computer user has a number of security
mechanisms at hand. So, participants were asked which type
of security mechanism they used. Given the high level of
awareness of viruses shown in Table VI, it is not surprising
that Table VII shows that over shows that over 86% of
participants use antivirus software.

9
 TABLE VI: AWARENESS OF INFORMATION THREATS TABLE VIII: SOFTWARE TYPES AND UPDATE

Global Saudi Type of software used and last update ? (N = 462)

Information Security Threats
Study Arabia Freeware Paid License
Viruses 92% 87.2% One day ago 57 56
Last month 80 54
Spam 90% 57.8%
3 months ago 57 33
Phishing 70% 29.7% 6 months ago 30 22
Last year 34 29
Denial of Service (DoS) attack 56% 7.4%
Never 94 41
Identity theft 81% 25.5%
Count (N) 352 235

TABLE VII: PROTECTION-SOFTWARE USE TABLE IX: DATA BACKUP USE

Information Security Global Saudi Frequency of back up of sensitive/critical data? (N = 462)

Control Software Study Arabia Percent Count (N)
Antivirus 98% 86.7% Never 43.9% 203
Firewall 78% 22.3%
Sometimes 38.3% 177
Anti-Spyware 75% 10.4%
Frequently 15.2% 70
Anti-Spam 67% 13.9%
Everyday 2.6% 12

However, probably because they are unaware of the other

potential threats, the use of all other protection mechanisms
is far lower. Of 452 Saudi respondents, only 13.9% of
Saudis use anti-spam software and 10.4% use anti-spy
software compared to 67% and 75% respectively, in the
Global study.
It is interesting to note that the use of protection is in all
cases lower than the awareness of threats. This tells us that,
even Saudis know these threats exist; they often take no
steps to address the threats.
Of course, it is not enough simply to install protection
software; one must also keep it up to date. Mechanisms to
control threats such as viruses, trojans, spy attacks or spam
need regular and frequent updates. Table VIII shows clearly
the low awareness of the need of such updates both for
freeware and licensed software.
Amazingly, over 53% of users of both freeware and licensed
protection software have not upgraded their software in
more than 3 months. Possibly the cost of upgrades is a
contributing factor, however, upgrades to freeware are free,
but participants still did not upgrade that software either. So,
cost does not seem to be an explanation.
Should information attack damage or destroy data, one can
often use a backup to restore the lost data. Indeed, many
individuals and companies do not really value their own
information until it is successfully attacked and they need to
restore it somehow. So, even if Saudi’s are incredibly poor
at protecting their data, perhaps their backup procedures will
provide a fall-back position. Unfortunately, Table IX clearly
shows that 43.9% of participants never did a backup of their
data.
Only 15.2% do a backup frequently or everyday, so over
80% of participants have ineffective backup procedures
which place them enormously at risk. This means that, if
their data is corrupted by an attack, they have no mechanism
to restore it. All the corrupted data would need to be re-
entered by hand.
Reporting security incidents is a useful practice as it allows
the user to find better protection solutions. It also provides a
service to the whole community as it allows security
providers to address particular threats and reduce the
likelihood of similar information security incidents in the
future. Unfortunately, Table X shows that 80.5% of
respondents are not aware how or where they can report
security incidents. This low awareness of appropriate
responses, would reduce the speed with which threats could
be dealt with and hamper overall information security across
the country.
TABLE X: INCIDENT REPORTING
Do you know if you can report security incidents? (N = 462)
Percent Count (N)
No 80.5% 372
Yes 19.5% 90
B. Preferences for Information Dissemination
Table XI shows the list of communication mechanisms that
respondents believed could effectively promote ISA.
Respondents were asked to indicate their three most
preferred options. 75% of 412 respondents prefer the Web

10
but over 50.7% also thought that newspapers would be This paper has suggested that the level of attacks may be
effective. The Web is particularly appropriate for Saudi due to a lack of ISA among the Saudi general public.
culture for two reasons. Firstly, the country is very large and
much of the population lives in relatively remote locations. It has also been suggested that the lack of ISA may be due
The Web provides distance education which addresses this to the highly-censored, patriarchical and tribal nature of
problem. Secondly, the Web is particularly suited to Saudi Saudi culture. A survey of 462 Saudis has confirmed that
women who could not go unaccompanied by a male. ISA is in fact very low and that a number of information
security risks may be related to Saudi culture. These include
the sharing of passwords which can be explained in the
context of the tribe. Similarly, the expectation that the
Table XI: ISA EFFECTIVE PROMOTIMG government or other information providers are responsible
for Information Security reflects the patriarchical Saudi
Which of the following mechanisms would be effective for learning culture.
about information security (N=412)
Count Count The frequency with which passwords were changed and the
Percent Percent
(N) (N) strength of passwords themselves supported the conclusion
Cartoon that the general public either does not know about
75.0% 309 16.3% 67
Web portals series recommended security procedures or simply chooses not to
Newspapers 50.7% 209 Books 14.8% 61 follow them. So, the paper has confirmed that ISA is low in
Advertisements 35.2% 145 Talks 14.1% 58 Saudi Arabia and this is almost certainly one of the causes
of the high level of Information Security attacks in that
Documentaries 30.3% 125 Magazines 13.1% 54
country. The next phase of this research will examine the IT
Billboard/
29.1% 120 12.1% 50 practices in Saudi Arabia to determine if Saudi IT
Posters Exhibitions
departments are aware of recommended practices and
E-Books/ e- Web based
Magazines
28.9% 119
games
8.7% 36 standards, if Saudi organizations have specialist IT security
Other 0.7% 3
staff and if Saudi IT practitioners are sufficiently qualified
Seminars 21.1% 87
in information security. The study has also shown that the
most appropriate methods of disseminating information
There are a number of interesting observations that can be about Information Security to the general public is via Web
made about these two questions. Firstly, the number of portals or via newspapers. Both of these mechanisms
respondents who used the “Other” option in the previous address the problems of distance and strict cultural controls
question which was about the sources that have been used to that apply to women.
learn about information security is only 21.8%. This means
that, apart from the 5 listed options, most respondents had
not used many other methods to find out about Information ACKNOLEDGMENT
Security. However, when presented with a larger set of The authors would like to thank to King Saud University in
information dissemination methods (Table XI) respondents
Saudi Arabia for their funding of the scholarship for this
found many of them useful. For example, 50.7% nominated
research.
newspapers as an effective medium (Table XI) but very few
included newspapers as an “Other” mechanism that they had REFERENCES
already used in the sources of learning about Information
Security question. The most likely reason for this [1] H. Afyouni, Database Security and Auditing: Protecting Data
Integrity and Accessibility.,Thomson Course, Canada, 2006.
discrepancy is that respondents believed that newspapers
could be effective but that they had not previously found the [2] R. Bragg, M. Ousley, and K. Strassberg, Network Security: The
information they required in newspapers. This is not Complete Reference, Coral Ventura, United States of America, 2004.
surprising as Saudi newspapers are highly conservative and [3] C. Easttom, Computer Security Fundamentals, Pearson Prentice Hall,
highly censored, so newspapers have probably paid scant United States of America, 2006.
attention to a problem that only affects the Web, which is a
[4] E. Turban, J. Wetherbe, and E. McLean, Information Security
major competitor to print media. Similarly, documentaries Technology for Management: Improving Quality and Productivity, 3rd
and billboard posters were far better represented in Table XI Edition. Wiley, United State of America, 1996.
(35.2% and 28.9%, respectively) than the 21.8% “Other” in
[5] W. Stallings, and L. Brown, Computer Security Principles and Practice,
the sources of learning about Information Security question. Pearson Education, United States of America, 2008.
Once again, the print and television media in Saudi Arabia
are not concerned about threats to online information. [6] M. Whitman, and H. Mattord, Management of Information Security,
Thomson Course Technology, Canada, 2008.
V. CONCLUSIONS AND FUTURE RESEARCH [7] M. Siponen, “A conceptual foundation for organizational: information
Saudi Arabia had the ninth highest incidence of Information security awareness”, Information Management & Computer Security,
vol. 8, 2000 pp. 31-41.
Security attacks in the world in 2008 and the seventh highest
in 2009 according to Kaspersky Lab; this is unusual, given [8] H. Kruger, L. Drvein, and T. Steyn, ”A vocabulary test to assess
its relatively small population and level of Internet adoption. information security awareness”, Information Management &
Computer Security, vol. 18, 2010, pp. 316-327.

11
[9] Kaspersky Security Bulletin,
http://www.kaspersky.com/reading_room?chapter=207716858, 2010,
accessed 09/02/2010.
[10] J. Green, and N. Karolidies, Encyclopedia of Censorship, Facts On
File, New York, 2005.
[11] R. Deibert, J. Palfrey, R. Rohozinski, and J. Zittrain, Access Denied:
The Practice Policy of Global Internet Filtering, The MIT Press,
London, 2008.
[12] Library of Congress – Federal Research Division, Country Profile:
Saudi Arabia, September 2008.
[13] M. Moaddel, “The Saudi public speaks: religion, gender, and politics”,
International Journal of Middle East Studies, vol. 38, 2006, pp. 79-
108.
[14] H. Alhagil, Treasure lineage and Arts Complex, Saudi National House,
Riyadh, 2001.
[15] A. Alothimin, History of Saudi Arabia, Obekan Ltd., Riyadh, 2009.
[16] J. Creswell, Research design: Qualitative, quantitative, and mixed
method approaches, Sage Publications, California, 2003.
[17] D. Hancock, and B. Algozzine, Doing Case Study Research, Teachers
College Press, New York, 2006.

12