Study on Employee Information Security: Human Issue: Gaborone University College of Law and Professional Studies (GUC)

The purpose of the study was to establish the level Information Security among End User in

order to address the Human issue and its impacts on Information Security (IS) in organizations.

Human errors likely to result into excessive security breaches than technical vulnerabilities

(Hinson, 2003). Notable human errors include, deleting wrong file by mistake, entering wrong

value, pull out the wrong plug by mistake and configuration mistakes can leave the network

ports open, firewall vulnerable and system completely unprotected (Hinson, 2003). Employee

errors impact negatively on security controls such as firewalls and data protection policies

adopted by the organization (Hadlington, 2018). Human issues are the major hindrance in

achieving security goals such as maintaining confidentiality, insuring integrity, and assuring

availability of information in an organization (Cherdentseva and Hilton 2013). It is also notable

that employees who either work inside or outside the organization can compromise the essential

characteristics of information such as Confidentiality, Integrity and Availability (CIA). Despite

intense technical and physical security controls adopted by the organization, the availability of

malicious and none malicious employee in an organization hinders the effectiveness of counter

measures adopted to protect information (Greitzer and Hohimer, 2011). A none malicious

employee is an employee who is not aware of security controls adopted by the organization

and lack efficiency to protect data from threats but instead create security loopholes which can

exploited by an attacker. A malicious employee has the motive to disrupt, steal information,

bypass processes and procedures. However, none technical security counter measures such as

security awareness, training and organizational policy implementation can be used to mitigate

internal threats (Cherdentseva and Hilton 2013). In order to understand the human issue

information security, the research study adopted theoretical research models such as Protection

Motivation Theory (PMT), Technology Acceptance Model (TAM) and Theory of Planned

Behavior (TPB) Shenbagaraman 2016). The research population included Lectures and

Administrative personnel in the organization. The independent variable included employee

behavior, attitude and knowledge which were measured against dependent variables such as

password usage, email usage, knowledge on malicious protection and security controls in the

organization. Quantitative research methodology was adopted because data collected was

translated into figures for further analysis. A questionnaire of 33 questions were distributed to

32 participants to collect data. The survey found out that some employee engages in risk

behavior such as sharing password, using the same password to log in different systems or

applications. Some employee in the organization also lack knowledge on threat to information

security and are not security conscious to online cyber scams.