Categorization of users based on their information security related knowledge, attitude and behaviour: a pilot study

Abstract

In this paper, we present an approach for user categorization based on the established Human Aspects of Information Security Questionnaire (HAIS-Q). Clustering based on HAIS-Q data (N = 165) was performed. In doing so, three groups of users were identified (low, moderate and high-risk users). The silhouette measure of cohesion and separation (0.44) was conducted to validate the quality of clustering. A fair cluster quality was indicated. Our approach (a combination of HAIS-Q and clustering) allows for the tailored training of 1) users who achieve the lowest values in HAIS-Q and 2) users who achieve overall high results but perform slightly worse in certain focus areas. In comparison to similar approaches, our advantage is the ease of use and mitigation of social desirability bias since the approach is designed to analyze user groups only. Additionally, our approach allows for focus area (variable) prioritization while existing studies consider all variables to be of equal value.