Information Security Awareness Raising Strategy Using Fuzzy AHP Method with HAIS-Q and ISO/IEC 27001:2013: A Case Study of XYZ Financial Institution


  • Yohan Adhi Styoutomo University of Indonesia
  • Yova Ruldeviyani University of Indonesia



Information Security Awareness, , Fuzzy Analytical Hierarchy Process (FAHP), Human Aspects of the Information Security Questionnaire (HAIS-Q), ISO/IEC 27001:2013


XYZ financial institution is a government institution that receives and processes transaction reports from banks and remittances, so its data classification is very confidential. However, during the Work from Home (WFH) policy in the Covid-19 pandemic, XYZ financial institution has received many spam/phishing attacks. Hence, this incident shows that some employees need an awareness of information security. The research offers a different Information Security Awareness (ISA) questionnaire using the Human Aspects of the Information Security Questionnaire (HAIS-Q) and ISO/IEC 27001:2013 as focus areas. The research uses the theory of Knowledge, Attitude, and Behavior (KAB) to determine the dimensions that need improvement and priority ranking using Fuzzy Analytical Hierarchy Process (FAHP). Furthermore, the research conducts a Focus Group Discussion (FGD) to explore the root causes of employee behavior. The FGD results show that there are still employees who do not know about information security, such as password combinations and length, so limited knowledge affects employees’ attitudes and behaviors. The research results from 34 respondents show that the employees’ information security awareness level is in the moderate category (78.8%). They still need to increase their awareness of information security, especially in managing passwords, using email and the Internet, and reporting incidents. Recommendations have been prepared to improve the dimensions and areas that have yet to be categorized as good. In the future, the ISA questionnaire is expected to be used in other organizations.


Plum Analytics

Author Biographies

Yohan Adhi Styoutomo, University of Indonesia

Master of Information Technology, Faculty of Computer Science

Yova Ruldeviyani, University of Indonesia

Master of Information Technology, Faculty of Computer Science


K. Khando, S. Gao, S. M. Islam, and A. Salman, “Enhancing employees information security awareness in private and public organisations: A systematic literature review,” Computers & Security, vol. 106, pp. 1–22, 2021.

A. Wiley, A. McCormac, and D. Calic, “More than the individual: Examining the relationship between culture and information security awareness,” Computers & Security, vol. 88, pp. 1–8, 2020.

Australian Government, Anti-money laundering and counter-terrorism financing act 2006. Attorney-General’s Department, 2021.

M. Alawida, A. E. Omolara, O. I. Abiodun, and M. Al-Rajab, “A deeper look into cybersecurity issues in the wake of Covid-19: A survey,” Journal of King Saud University-Computer and Information Sciences, vol. 34, no. 10, pp. 8176–8206, 2022.

T. Grassegger and D. Nedbal, “The role of employees’ information security awareness on the intention to resist social engineering,” Procedia Computer Science, vol. 181, pp. 59–66, 2021.

H. Aldawood, T. Alashoor, and G. Skinner, “Does awareness of social engineering make employees more secure?” International Journal of Computer Applications, vol. 177, no. 38, pp. 45–49, 2020.

M. Thangavelu, V. Krishnaswamy, and M. Sharma, “Impact of comprehensive information security awareness and cognitive characteristics on security incident management–An empirical study,” Computers & Security, vol. 109, 2021.

R. Torten, C. Reaiche, and S. Boyle, “The impact of security awareness on information technology professionals’ behavior,” Computers & Security, vol. 79, pp. 68–79, 2018.

L. Hadlington, J. Binder, and N. Stanulewicz, “Exploring role of moral disengagement and counterproductive work behaviours in information security awareness,” Computers in Human Behavior, vol. 114, 2021.

G. Assenza, A. Chittaro, M. C. De Maggio, M. Mastrapasqua, and R. Setola, “A review of methods for evaluating security awareness initiatives,” European Journal for Security Research, vol. 5, pp. 259–287, 2020.

A. Solomon, M. Michaelshvili, R. Bitton, B. Shapira, L. Rokach, R. Puzis, and A. Shabtai, “Contextual security awareness: A context-based approach for assessing the security awareness of users,” Knowledge-Based Systems, vol. 246, 2022.

D. D. H. Wahyudiwan, Y. G. Sucahyo, and A. Gandhi, “Information security awareness level measurement for employee: Case study at Ministry of Research, Technology, and Higher Education,” in 2017 3rd International Conference on Science in Information Technology (ICSITech). Bandung, Indonesia: IEEE, Oct. 25–26, 2017, pp. 654–658.

M. Pattinson, M. Butavicius, K. Parsons, A. Mc-Cormac, and D. Calic, “Managing information security awareness at an australian bank: A comparative study,” Information & Computer Security, vol. 25, no. 2, pp. 181–189, 2017.

E. A. Puspitaningrum, F. T. Devani, V. Q. Putri, A. N. Hidayanto, Solikin, and I. C. Hapsari, “Measurement of employee information security awareness: Case study at a government institution,” in 2018 Third International Conference on Informatics and Computing (ICIC). Palembang, Indonesia: IEEE, Oct. 17–18, 2018, pp. 1–6.

K. Parsons, D. Calic, M. Pattinson, M. Butavicius, A. McCormac, and T. Zwaans, “The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies,” Computers & Security, vol. 66, pp. 40–51, 2017.

R. Tatiara, A. N. Fajar, B. Siregar, and W. Gunawan, “Analysis of factors that inhibiting implementation of Information Security Management System (ISMS) based on ISO 27001,” Journal of Physics: Conference Series, vol. 978, pp. 1–6, 2018.

A. Firdani, S. Suprapto, and A. R. Perdanakusuma, “Perencanaan pengelolaan keamanan informasi berbasis ISO 27001 menggunakan Indeks KAMI studi kasus: Dinas Komunikasi dan Informatika Kabupaten Rembang,” Jurnal Pengembangan Teknologi Informasi dan Ilmu Komputer, vol. 3, no. 6, pp. 6009–6015, 2019.

H. Aldawood and G. Skinner, “Educating and raising awareness on cyber security social engineering: A literature review,” in 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE). Wollongong, NSW, Australia: IEEE, Dec. 4–7, 2018, pp. 62–68.

F. Salahdine and N. Kaabouch, “Social engineering attacks: A survey,” Future Internet, vol. 11, no. 4, pp. 1–17, 2019.

A. Gnanavelbabu and P. Arunagiri, “Ranking of MUDA using AHP and Fuzzy AHP algorithm,” Materials Today: Proceedings, vol. 5, no. 5, pp. 13 406–13 412, 2018.

R. Octavianus and P. Mursanto, “The analysis of critical success factor ranking for software development and implementation project using AHP,” in 2018 International Conference on Advanced Computer Science and Information Systems (ICACSIS). Yogyakarta, Indonesia: IEEE, Oct. 27–28, 2018, pp. 313–318.

W. Yusnaeni, M. Marlina, R. Y. Hayuningtyas, and R. Sari, “Comparison AHP-MABAC And WASPAS methods for supplier recommendations,” Jurnal Teknik Komputer AMIK BSI, vol. 7, no. 2, pp. 145–150, 2021.

T. K. Biswas and M. C. Das, “Selection of commercially available electric vehicle using fuzzy AHP-MABAC,” Journal of The Institution of Engineers (India): Series C, vol. 100, pp. 531–537, 2019.

D. Bozanic, D. Teˇsi´c, and J. Mili´cevi´c, “A hybrid fuzzy AHP-MABAC model: Application in the Serbian Army–The selection of the location for deep wading as a technique of crossing the river by tanks,” Decision Making: Applications in Management and Engineering, vol. 1, no. 1, pp. 143–164, 2018.

Q. Setyani, R. Andreswari, and M. A. Hasibuan, “Target analysis of students based on academic data record using method Fuzzy Analytical Hierarchy Process (FAHP) case study: Study program Information Systems Telkom University,” in 2018 6th International Conference on Cyber and IT Service Management (CITSM). Parapat, Indonesia: IEEE, Aug. 7–9, 2018, pp. 1–6.

Y. Normandia, L. Kumaralalita, A. N. Hidayanto, W. S. Nugroho, and M. R. Shihab, “Measurement of employee information security awareness using Analytic Hierarchy Process (AHP): A case study of Foreign Affairs Ministry,” in 2018 International Conference on Computing, Engineering, and Design (ICCED). Bangkok, Thailand: IEEE, Sept. 6–8, 2018, pp. 52–56.

M. Sas, G. Reniers, K. Ponnet, and W. Hardyns, “The impact of training sessions on physical security awareness: Measuring employees’ knowledge, attitude and self-reported behaviour,” Safety Science, vol. 144, 2021.

L. Luic, D. Svelec-Juricic, and P. Misevic, “The impact of knowledge of the issue of identification and authentication on the information security of adolescents in the virtual space,” WSEAS Transactions on Systems and Control, vol. 16, pp. 527–533, 2021.

R. AlMindeel and J. T. Martins, “Information security awareness in a developing country context: Insights from the government sector in Saudi Arabia,” Information Technology & People, vol. 34, no. 2, pp. 770–788, 2021.

H. Stewart and J. J¨urjens, “Information security management and the human aspect in organizations,” Information & Computer Security, vol. 25, no. 5, pp. 494–534, 2017.

M. Alsulami, “Social media security awareness in Saudi Arabia,” Tehniˇcki glasnik, vol. 16, no. 2, pp. 213–218, 2022.

L. Zhou, K. Wang, J. Lai, and D. Zhang, “Behaviors of unwarranted password identification via shoulder-surfing during mobile authentication,” in 2021 IEEE International Conference on Intelligence and Security Informatics (ISI). San Antonio, TX, USA: IEEE, Nov. 2–3, 2021, pp. 1–3.

L. Boˇsnjak and B. Brumen, “Shoulder surfing experiments: A systematic literature review,” Computers & Security, vol. 99, pp. 1–34, 2020.

M. Al Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, “Risk assessment using NIST SP 800-30 revision 1 and ISO 27005 combination technique in profit-based organization: Case study of ZZZ information system application in ABC agency,” Procedia Computer Science, vol. 161, pp. 1206–1215, 2019.

H. Aldawood and G. Skinner, “Contemporary cyber security social engineering solutions, measures, policies, tools and applications: A critical appraisal,” International Journal of Security (IJS), vol. 10, no. 1, pp. 1–15, 2019.

L. Jaeger and A. Eckhardt, “When colleagues fail: Examining the role of information security awareness on extra-role security behaviors,” 2018. [Online]. Available: rp/124

F. G. Alotaibi, N. Clarke, and S. M. Furnell, “A novel approach for improving information security management and awareness for home environments,” Information & Computer Security, vol. 29, no. 1, pp. 25–48, 2020.

L. Hadlington and S. Chivers, “Segmentation analysis of susceptibility to cybercrime: Exploring individual differences in information security awareness and personality factors,” Policing: A Journal of Policy and Practice, vol. 14, no. 2, pp. 479–492, 2020.

M. Sas, K. Ponnet, G. Reniers, and W. Hardyns, “Assigning roles for campus security awareness,” 2021. [Online]. Available:

M. M. Al-Daeef, N. Basir, and M. M. Saudi, “Security awareness training: A review,” in Proceedings of the World Congress on Engineering 2017, London, U.K., July 5–7, 2017.

I. Hwang, R. Wakefield, S. Kim, and T. Kim, “Security awareness: The first step in information security compliance behavior,” Journal of Computer Information Systems, vol. 61, no. 4, pp. 345–356, 2021.

D. Popescul, “Information security awareness in contemporary organizations–Challenges and solutions,” Security & Future, vol. 2, no. 3, pp. 134–137, 2018.

S. AlGhamdi, K. T. Win, and E. Vlahu-Gjorgievska, “Information security governance challenges and critical success factors: Systematic review,” Computers & Security, vol. 99, 2020.

M. Yıldırım and I. Mackie, “Encouraging users to improve password security and memorability,” International Journal of Information Security, vol. 18, pp. 741–759, 2019.

Q. Xie and L. Hwang, “Security enhancement of an anonymous roaming authentication scheme with two-factor security in smart city,” Neurocomputing, vol. 347, pp. 131–138, 2019.

H. Aldawood and G. Skinner, “Reviewing cyber security social engineering training and awareness programs–Pitfalls and ongoing issues,” Future Internet, vol. 11, no. 3, pp. 1–16, 2019.

Microsoft, “App & browser control in Windows Security.” [Online]. Available:

S. Liang, Y. Zhang, B. Li, X. Guo, C. Jia, and Z. Liu, “Secureweb: Protecting sensitive information through the web browser extension with a security token,” Tsinghua Science and Technology, vol. 23, no. 5, pp. 526–538, 2018.

D. Snyman and H. Kruger, “The application of behavioural thresholds to analyse collective behaviour in information security,” Information and Computer Security, vol. 25, no. 2, pp. 152–164, 2017.



Abstract 503  .
PDF downloaded 580  .