Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study

1. In your opinion, what are the most common ways malicious software (viruses etc.) gets into our company’s network? 2. Where can you find our company’s official information security instructions? 3. Have you applied the instructions concerning SC’s e-mail use to your work? If yes, give some examples of what instructions and for what purposes they were used. 4. Did you find the instructions useful for your purposes? Were they easy to understand and use in practice? Why or why not? 5. Explain briefly the purpose of our company’s information classification rules. 6. How have you applied the information classification rules in your work (i.e., in practice)? 7. How much time do you spend processing e-mail (company’s e-mail account) on a weekly basis? (Your best estimate) 8. For what purposes do you use e-mail in your work? 9. What do you consider as acceptable use of our company’s e-mail system? 10. Give examples of what you consider unacceptable use of our company’s e-mail system? 11. Have you ever encountered malicious software in e-mail attachments? Did this happen at SC or somewhere else? Explain what happened. 12. Have you ever followed (clicked and opened a page) a specially crafted, malicious link in an e-mail message? Did this happen at SC or somewhere else? What happened? 13. How many spam messages do you receive at our company’s e-mail account (e.g., on a weekly basis)? Also give an estimate of how many received messages (e.g., percentage) are spam. Have you ever tried to answer any of the spam messages? 14. In your opinion, by what means is it possible to distinguish relevant e-mail messages from spam or other possibly dangerous messages? 15. By what means would you ensure it is safe to open an e-mail attachment?