Mid Sweden University

The General Data   Protection Regulation, an EU law that enters into force in May 2018, aims to   protect the sensitive data of individuals in our digitized world. The   responsibility for the sensitive data collected will be transferred to the   enforcement organizations. This requires that the correct data protection is   ensured. In this work, organizations must ensure that their employees have   knowledge of information security. To know which training efforts are needed,   a tool for measuring the maturity of information security in the organization   is needed.

Studies show that   it is difficult to measure users' security intentions and that there is a   lack of tools for this. The Information Security Behaviour Scale,   ISeBIS-scale, was in this study designed with the aim of testing whether this   scale could be used and how it could be used to evaluate change in a user's   information security intentions following a training effort.

In a case study,   the ISeBIS scale was tested in an explanatory sequential mixed method. The   selection team received a web survey, underwent education in information   security and then responded to the questionnaire again. After the results   were analysed, semistructured interviews were conducted with a selection of   respondents to explain the trends seen in the study.

The study shows   that to only use the ISeBIS scale is inadequate as a tool for evaluating user   safety behavior. The result after the training was difficult to analyze with   both negative and positive outcomes in the scale's statement. However, it   turned out that in combination with interviews with respondents it is seen   that it is a useful tool to draw attention to the underlying factors of the   answers, such as a lack of knowledge of the security features used daily and   shortcomings in security processes in the organization. Which might not have   been so transparent without the use of ISeBIS. The interviewees all meant   that the ISeBIS scale and the education given created awareness and above all   more discussion about how information security appeared in the organization   and what could be improved in the short and long term.