Computers Security

A new approach, based on the k-Nearest Neighbor (kNN) classifier, is used to classify program behavior as normal or intrusive. Short sequences of system calls have been used by others to characterize a program's normal behavior before. However, separate databases of short system call sequences have to be built for different programs, and learning program profiles involves time-consuming training and testing processes. With the kNN classifier, the frequencies of system calls are used to describe the program behavior. Text categorization techniques are adopted to convert each process to a vector and calculate the similarity between two program activities. Since there is no need to learn individual program profiles separately, the calculation involved is largely reduced. Preliminary experiments with 1998 DARPA BSM audit data show that the kNN classifier can effectively detect intrusive attacks and achieve a low false positive rate.

This research investigated information systems security policy (ISSP) compliance by drawing upon two relevant theories i.e. the theory of planned behavior (TPB) and the protection motivation theory (PMT). A research model that fused constituents of the aforementioned theories was proposed and validated. Relevant hypotheses were developed to test the research conceptualization. Data analysis was performed using the partial least squares (PLS) technique. Using a survey of 124 business managers and IS professionals, this study showed that factors such as self-efficacy, attitude toward compliance, subjective norms, response efficacy and perceived vulnerability positively influence ISSP behavioral compliance intentions of employees. The data analysis did not support perceived severity and response cost as being predictors of ISSP behavioral compliance intentions. The study's implications for research and practice are discussed.

Behavioral information security Research challenges Deviant security behavior a b s t r a c t Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.

Do people really care about their privacy? Surveys show that privacy is a primary concern for citizens in the digital age. On the other hand, individuals reveal personal information for relatively small rewards, often just for drawing the attention of peers in an online social network. This inconsistency of privacy attitudes and privacy behaviour is often referred to as the "privacy paradox". In this paper, we present the results of a review of research literature on the privacy paradox. We analyze studies that provide evidence of a paradoxical dichotomy between attitudes and behaviour and studies that challenge the existence of such a phenomenon. The diverse research results are explained by the diversity in research methods, the different contexts and the different conceptualisations of the privacy paradox. We also present several interpretations of the privacy paradox, stemming from social theory, psychology, behavioural economics and, in one case, from quantum theory. We conclude that current research has improved our understanding of the privacy paradox phenomenon. It is, however, a complex phenomenon that requires extensive further research. Thus, we call for synthetic studies to be based on comprehensive theoretical models that take into account the diversity of personal information and the diversity of privacy concerns. We suggest that future studies should use evidence of actual behaviour rather than self-reported behaviour.

This paper describes a generic model of matching that can be usefully applied to misuse intrusion detection. The model is based on Colored Petri Nets. Guards define the context in which signatures are matched. The notion of start and final states, and paths between them define the set of event sequences matched by the net. Partial order matching can also be specified in this model. The main benefits of the model are its generality, portability and flexibility.

Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.

Social cognitive theory User behavior a b s t r a c t The ultimate success of information security depends on appropriate information security practice behaviors by the end users. Based on social cognitive theory, this study models and tests relationships among self-efficacy in information security, security practice behavior and motivation to strengthen security efforts. This study also explores antecedents to individuals' self-efficacy beliefs in information security. Results provide support for the many hypothesized relationships. This study provides an initial step toward understanding of the applicability of social cognitive theory in a new domain of information security. The results suggest that simply listing what not to do and penalties associated with a wrong doing in the users' information security policy alone will have a limited impact on effective implementation of security measures. The findings may help information security professionals design security awareness programs that more effectively increase the self-efficacy in information security.

Traffic behavior analysis Network flows Machine learning a b s t r a c t Botnets represent one of the most serious cybersecurity threats faced by organizations today. Botnets have been used as the main vector in carrying many cyber crimes reported in the recent news. While a significant amount of research has been accomplished on botnet analysis and detection, several challenges remain unaddressed, such as the ability to design detectors which can cope with new forms of botnets. In this paper, we propose a new approach to detect botnet activity based on traffic behavior analysis by classifying network traffic behavior using machine learning. Traffic behavior analysis methods do not depend on the packets payload, which means that they can work with encrypted network communication protocols. Network traffic information can usually be easily retrieved from various network devices without affecting significantly network performance or service availability. We study the feasibility of detecting botnet activity without having seen a complete network flow by classifying behavior based on time intervals. Using existing datasets, we show experimentally that it is possible to identify the presence of existing and unknown botnets activity with high accuracy even with very small time windows. ª

Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious about protecting their information assets. Many of the processes needed to protect these information assets are, to a large extent, dependent on human cooperated behavior. Employees, whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security. This paper briefly examines the generic concept of corporate culture and then borrows from the management and economical sciences to present a conceptual model of information security culture. The presented model incorporates the concept of elasticity from the economical sciences in order to show how various variables in an information security culture influence each other. The purpose of the presented model is to facilitate conceptual thinking and argumentation about information security culture.

Educational simulation Video game Network security a b s t r a c t Although many of the concepts included in cyber security awareness training are universal, such training often must be tailored to address the policies and requirements of a particular organization. In addition, many forms of training fail because they are rote and do not require users to think about and apply security concepts. A flexible, highly interactive video game, CyberCIEGE, is described as a security awareness tool that can support organizational security training objectives while engaging typical users in an engaging security adventure. The game is now being successfully utilized for information assurance education and training by a variety of organizations. Preliminary results indicate the game can also be an effective addition to basic information awareness training programs for general computer users (e.g., annual awareness training.) ª c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 6 3 -7 2

Delay Tolerant Networks (DTNs) are type of Intermittently Connected Networks (ICNs) featured by long delay, intermittent connectivity, asymmetric data rates and high error rates. DTNs have been primarily developed for InterPlanetary Networks (IPNs), however, have shown promising potential in challenged networks i.e. DakNet, ZebraNet, KioskNet and WiderNet. Due to unique nature of intermittent connectivity and long delay, DTNs face challenges in routing, key management, privacy, fragmentation and misbehaving nodes. Here, misbehaving nodes i.e. malicious and selfish nodes launch various attacks including flood, packet drop and fake packets attack, inevitably overuse scarce resources (e.g., buffer and bandwidth) in DTNs. The focus of this survey is on a review of misbehaving node attacks, and detection algorithms. We firstly classify various of attacks depending on the type of misbehaving nodes. Then, detection algorithms for these misbehaving nodes are categorized depending on preventive and detective based features. The panoramic view on misbehaving nodes and detection algorithms are further analyzed, evaluated mathematically through a number of performance metrics. Future directions guiding this topic are also presented.

The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions of culture. Each dimension is discussed in terms of how they relate specifically to security culture based on a number of previously published case studies. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end users perspective.

End user threats a b s t r a c t Personal Internet users are increasingly finding themselves exposed to security threats during their use of home PC systems. However, concern can be raised about users' awareness of these problems, and the extent to which they are consequently protected and equipped to deal with incidents they may encounter. This paper presents results from a survey of 415 home users to assess their perceptions of security issues, and their attitudes towards the use of related safeguards. The findings reveal that although there is a high degree of confidence at a surface level, with respondents claiming to be aware of the threats and utilising many of the relevant safeguards, a deeper inspection suggests that there are several areas in which desirable knowledge and understanding are lacking. Although many of the problems were predictably acute amongst novice users, there were also notable shortcomings amongst users who considered themselves to have advanced levels of computing experience. (S.M. Furnell). a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / c o s e 0167-4048/$ -see front matter ª

Computer security has traditionally been assessed from a technical point of view. One other view is about the role played by legitimate users of systems in impairing the level of protection. In order to address this issue, we wish to adopt a multidisciplinary standpoint and investigate some of the human aspects involved in computer security. From research in psychology, it is known that people make biased decisions. They sometimes overlook rules in order to gain maximum benefits for the cost of a given action. This situation leads to insidious security lapses whereby the level of protection is traded-off against usability. In this paper, we highlight the cognitive processes underlying such security impairments. At the end of the paper, we propose a short usability-centered set of recommendations.

The current study was a pilot study and attempted to add to the growing body of knowledge regarding inherent issues in computer forensics. The study consisted of an Internet based survey that asked respondents to identify the top five issues in computer forensics. 60 respondents answered the survey using a free form text field. The results indicated that education/training and certification were the most reported issue (18%) and lack of funding was the least reported (4%). These findings are consistent with a similar law enforcement community study . The findings emphasize the fragmented nature of the computer forensics discipline. Currently there is a lack of a national framework for curricula and training development, and no gold standard for professional certification. The findings further support the criticism that there is a disproportional focus on the applied aspects of computer forensics, at the expense of the development of fundamental theories. Further implications of the findings are discussed as well as suggestions for future research in the area.

In the past, home automation was a small market for technology enthusiasts. Interconnectivity between devices was down to the owner's technical skills and creativity, while security was non-existent or primitive, because cyber threats were also largely non-existent or primitive. This is not the case any more. The adoption of Internet of Things technologies, cloud computing, artificial intelligence and an increasingly wide range of sensing and actuation capabilities has led to smart homes that are more practical, but also genuinely attractive targets for cyber attacks. Here, we classify applicable cyber threats according to a novel taxonomy, focusing not only on the attack vectors that can be used, but also the potential impact on the systems and ultimately on the occupants and their domestic life. Utilising the taxonomy, we classify twenty five different smart home attacks, providing further examples of legitimate, yet vulnerable smart home configurations which can lead to second-order attack vectors. We then review existing smart home defence mechanisms and discuss open research problems. Reference Key security properties Vulnerabilities/challenges Security recommended Open problems identified Komninos et al. [1] Confidentiality Connected to Internet Auto-immunity to threats Resilience Physical tampering Reliability, availability Lin et al. [2] Confidentiality Phys./netw. accessibility Gateway architecture Auto-configuration Authentication Constrained resources Updates Access control Heterogeneity Nawir et al. [6] Smart meter integrity Remote connectivity Techn. countermeasures Standardisation Privacy Physical tampering Regulatory initiatives Impact evaluation, metrics Non-repudiation Malicious actuation Intrusion detection Authorisation Logging for audit/forensics Ziegeldorf et al.[5]

Password is the most widely used identity verification method in computer security domain. However, because of its simplicity, it is vulnerable to imposter attacks. Use of keystroke dynamics can result in a more secure verification system. Recently, Cho et al. (J Organ Comput Electron Commerce 10 proposed autoassociative neural network approach, which used only the user's typing patterns, yet reporting a low error rate: 1.0% false rejection rate (FRR) and 0% false acceptance rate (FAR). However, the previous research had some limitations: (1) it took too long to train the model; (2) data were preprocessed subjectively by a human; and (3) a large data set was required. In this article, we propose the corresponding solutions for these limitations with an SVM novelty detector, GAeSVM wrapper feature subset selection, and an ensemble creation based on feature selection, respectively. Experimental results show that the proposed methods are promising, and that the keystroke dynamics is a viable and practical way to add more security to identity verification. ª

Internet users experience a variety of online security threats that require them to enact safety precautions. Protection Motivation Theory (PMT) provides a theoretical framework for understanding Internet users' security protection that has informed past research. Ongoing research on online safety recommends new motivational factors that are integrated here in a PMT framework for the first time. Using PMT, a cross-sectional survey (N = 988) of Amazon Mechanical Turk (MTurk) users was conducted to examine how classical and new PMT factors predicted security intentions. Coping appraisal variables were the strongest predictors of online safety intentions, especially habit strength, response efficacy, and personal responsibility. Threat severity was also a significant predictor. Incorporating additional factors (i.e., prior experiences, subjective norms, habit strength, perceived security support, and personal responsibility) into the conventional PMT model increased the model's explanatory power by 15%. Findings are discussed in relation to advancing PMT within the context of online security for home computer users.

Among the various computer security techniques practice today, cryptography has been identified as one of the most important solutions in the integrated digital security system. Cryptographic techniques such as encryption can provide very long passwords that are not required to be remembered but are in turn protected by simple password, hence defecting their purpose. In this paper, we proposed a novel two-stage technique to generate personalized cryptographic keys from the face biometric, which offers the inextricably link to its owner. At the first stage, integral transform of biometric input is to discretise to produce a set of bit representation with a set of tokenised pseudo random number, coined as FaceHash. In the second stage, FaceHash is then securely reduced to a single cryptographic key via Shamir secret-sharing. Tokenised FaceHashing is rigorously protective of the face data, with security comparable to cryptographic hashing of token and knowledge key-factor. The key is constructed to resist cryptanalysis even against an adversary who captures the user device or the feature descriptor. ª

This paper aims at surveying the extrinsic and intrinsic motivations that influence the propensity toward compliant information security behavior. Information security behavior refers to a set of core information security activities that have to be adhered to by endusers to maintain information security as defined by information security policies. The intention is to classify the research done on compliant information security behavior from an end-user perspective and arrange it as a taxonomy predicated on Self-Determination Theory (SDT). In addition, the relative significance of factors that contribute to compliant information security behavior is evaluated on the basis of empirical studies. The taxonomy will be valuable in providing a comprehensive overview of the factors that influence compliant information security behavior and in identifying areas that require further research.

Coping with malware is getting more and more challenging, given their relentless growth in complexity and volume. One of the most common approaches in literature is using machine learning techniques, to automatically learn models and patterns behind such complexity, and to develop technologies to keep pace with malware evolution. This survey aims at providing an overview on the way machine learning has been used so far in the context of malware analysis in Windows environments, i.e. for the analysis of Portable Executables. We systematize surveyed papers according to their objectives (i.e., the expected output), what information about malware they specifically use (i.e., the features), and what machine learning techniques they employ (i.e., what algorithm is used to process the input and produce the output). We also outline a number of issues and challenges, including those concerning the used datasets, and identify the main current topical trends and how to possibly advance them. In particular, we introduce the novel concept of malware analysis economics, regarding the study of existing trade-offs among key metrics, such as analysis accuracy and economical costs.

With the increasing usage of smartphones a plethora of security solutions are being designed and developed. Many of the security solutions fail to cope with advanced attacks and are not aways properly designed for smartphone platforms. Therefore, there is a need for a methodology to evaluate their effectiveness. Since the Android operating system has the highest market share today, we decided to focus on it in this study in which we review some of the state-of-the-art security solutions for Android-based smartphones. In addition, we present a set of evaluation criteria aiming at evaluating security mechanisms that are specifically designed for Android-based smartphones. We believe that the proposed framework will help security solution designers develop more effective solutions and assist security experts evaluate the effectiveness of security solutions for Android-based smartphones.

In this paper, a novel efficient remote user authentication scheme using smart cards based on Elliptic Curve Discrete Logarithm Problem (ECDLP) has been proposed. A remote user authentication scheme is a two-party protocol whereby an authentication server confirms the identity of a remote individual logging on to the server over an untrusted, unsecured network. The password based authentication schemes are commonly used for authenticating remote users. Many passwords based schemes both with and without smart card have been proposed; each scheme has its merits and demerits. Our proposed scheme does not require verifier table and allows the user to choose their passwords. The proposed scheme also withstands message replying attack.

The existence of online social networks that include person specific information creates interesting opportunities for various applications ranging from marketing to community organization. On the other hand, security and privacy concerns need to be addressed for creating such applications. Improving social network access control systems appears as the first step toward addressing the existing security and privacy concerns related to online social networks. To address some of the current limitations, we have created an experimental social network using synthetic data which we then use to test the efficacy of the semantic reasoning based approaches we have previously suggested. ª a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / c o s e c o m p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 1 0 8 e1 1 5 0167-4048/$ e see front matter ª

Contactless and contact smart card systems use the physical constraints of the communication channel to implicitly prove the proximity of a token. These systems, however, are potentially vulnerable to an attack where the attacker relays communication between the reader and a token. Relay attacks are not new but are often not considered a major threat, like eavesdropping or skimming attacks, even though they arguably pose an equivalent security risk. In this paper we discuss the feasibility of implementing passive and active relay attacks against smart tokens and the possible security implications if an attacker succeeds. Finally, we evaluate the effectiveness of time-out constraints, distance bounding and the use of a additional verification techniques for making systems relay-resistant and explain the challenges still facing these mechanisms.

In the modern multi-user computer environment, Internet-capable network servers provide connectivity that allows a large portion of the user population to access information at the desktop from sources around the world. Because of the ease with which information can be accessed, computer security breaches may occur unless systems and restricted information stored therein are kept secure. Breaches of security can have serious consequences, including theft of confidential corporate documents, compromise of intellectual property, unauthorized modification of systems and data, denial of service, and others. Considerable research has been conducted on threats to security.

poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.

Nanocrystalline Al 3+ ions doped Mg 0.2 Mn 0.5 Ni 0.3 Al y Fe 2Ày O 4 compositions, where y = 0.0, 0.05 and 0.10 have been synthesized by citrate precursor method. Crystal structure and magnetic properties have been investigated at 300 K by means of X-ray diffraction, transmission electron microscope (TEM), vibrating sample magnetometer (VSM) and Mössbauer spectra measurements. XRD study reveals that particle size decreases from 102.25 nm to 41.65 nm. A decrease in lattice constant and saturation magnetization was attributed to smaller ionic radius of Al 3+ ions and weakening of super exchange interaction. Experimental and X-ray density decrease with increasing aluminum concentration. Though Mössbauer spectra of y = 0.0 exhibit normal Zeeman split sextets, spectra of samples for y = 0.05 and 0.10 are characterized by simultaneous presence of a central paramagnetic doublet. Dependence of Mössbauer parameters such as isomer shift, quadrupole splitting, linewidth and hyperfine magnetic field on Al 3+ ions concentration have been discussed. Initial permeability 'l i ', saturation magnetization (4 pM S ), retentivity (M R ), Bohr magneton number (n N B ), magneto crystalline anisotropy constant (K 1 ) and magnetic loss decreases while coercivity (H C ) increases with increasing substitution of Al 3+ ions. Magnetic loss has very low value in the range of 10 À3 which is two orders of magnitude less than samples prepared by conventional method.

A very federal higher educational system with many universities and as many different student authentication systems exists in Switzerland. Initiated by the Swiss Virtual Campus and by the demand for more inter-university work and student mobility, SWITCH, the Swiss education and research network started to evaluate authentication and authorization architectures.

The scope of this paper is to review and evaluate all constant round Group Key Agreement (GKA) protocols proposed so far in the literature. We have gathered all GKA protocols that require 1,2,3,4 and 5 rounds and examined their efficiency. In particular, we calculated each protocol's computation and communication complexity and using proper assessments we compared their total energy cost. The evaluation of all protocols, interesting on its own, can also serve as a reference point for future works and contribute to the establishment of new, more efficient constant round protocols.

Privacy breaches and their regulatory implications have attracted corporate attention in recent times. An often overlooked cause of privacy breaches is human error. In this study, we first apply a model based on the widely accepted GEMS error typology to analyze publicly reported privacy breach incidents within the U.S. Then, based on an examination of the causes of the reported privacy breach incidents, we propose a defense-in-depth solution strategy founded on error avoidance, error interception, and error correction.

The extensive usage of smartphones has been the major driving force behind a drastic increase of new security threats. The stealthy techniques used by malware make them hard to detect with signature based intrusion detection and anti-malware methods. In this paper, we present PIndroid-a novel Permissions and Intents based framework for identifying Android malware apps. To the best of our knowledge, PIndroid is the first solution that uses a combination of permissions and intents supplemented with multiple stages of classifiers for malware detection. Ensemble techniques are applied for optimization of detection results. We apply the proposed approach on 1,745 real world applications and obtain 99.8% accuracy which is the best reported to date. Empirical results suggest that our proposed framework built on permissions and intents is effective in detecting malware applications.

Designers and users of encryption algorithms used in cipher systems need a systematic approach in examining their ciphers prior to use, to ensure that they are safe from cryptanalytic attack. This paper describes a computer package used for assessing the security of newly-developed encryption algorithms.

This article introduces to the reader the sceptic of the economic evaluation of a security framework. We identify that there must be an economic evaluation of security investment, in order to avoid cost and risks of a security breach. We vindicate why the security economic plan must encompass our choices to provide security solutions. Furthermore, what are the measurements that are employed to provide the confidence of security to an acceptable level.

Since the publication of a seminal paper on "RBAC -role based access control models" in 1996 (IEEE Computer) a huge amount of work has been published on the application of sociological role theory in Information Security. Theoretical role models and interpretations as well as several commercial products are for instance based on the role concept and use them as their underlying access control paradigm. A conducted scientific literature collection revealed 866 publications dealing with roles in the context of Information Security. Although there is an ANSI/NIST standard and an ISO standard proposal there are a variety of competing models and application scenarios available and based on their different concepts and interpretations there is lack of consensus and clarity. Additionally, in practice several interpretations of the role concept have developed, dealing with the usage of theoretical findings on roles to improve existing security technologies. Because of the current situation there is need for a comprehensive article surveying the different proposals and streams of research on roles in Information Security. The goal and major contribution of this survey are a categorization of existing research into different classes following a three-level classification methodology. Based on a well-defined methodology a general categorization of the complete underlying set of publications, including general statistical data is provided. The main part of the work is investigating 30 identified research directions, evaluating their importance, and analyzing research tendencies and trends. An electronic bibliography including all surveyed publications together with the classification information is provided additionally. As a final contribution of the paper future trends in the area of role -research based on the data collected and own personal interpretations are predicted.

The human aspect, together with technology and process controls, needs to be considered as part of an information security programme. Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliance with information security and related information processing policies and regulatory requirements. This can be achieved by assessing, monitoring and influencing an information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived from an ISCA can be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet. In this paper we discuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establish whether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved from one assessment to the next, with the most positive results in in the fourth assessment. This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisation's information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA.