Abstract
Cyber-attacks are one of the main threats to information systems, and humans have been identified as the weakest link in information security. Organizations continuously invest resources to reinforce their security dispositions, but regularly fall victim to unwanted intrusions to their information systems due to vulnerabilities caused by human activity on these systems. Sensitive areas such as the management of water infrastructure have also been targeted by cyber terrorists as previously recorded. This study aimed to develop a measurement model to evaluate the level of cybersecurity awareness (CSA) in the water sector in South Africa. The underpinnings of cyber system usage across industries are similar, and as a result a broad-based approach was taken to configuring an instrument that can be used to adequately assess the sample space in question. The goal of having a reliable instrument to measure CSA is that it helps mitigate failed attempts at preparing employees for imminent cyber disruptions by pinpointing areas where training is needed before campaigns can be put together. A systematic literature review explored the existing instruments used to measure CSA in various institutions. The relationships between CSA, knowledge, attitude and behaviour were explored in this study in order to identify what areas of interest most affect the level of CSA of employees in the water sector. This process buttressed the development of an improved model which focuses on the knowledge, attitude and behaviour of individuals in the water industry with regard to their usage of cyberspace. Key focus areas were evaluated to certify if a given employee possesses an acceptable level of CSA. The measurement instrument developed in this study provides employers in the water sector with a tool through which they can verify the CSA levels of their employees, and inform training programmes according to the results obtained from the assessments. This study shows that the psychology of employees with respect to CSA is compartmentalised into three traits: knowledge, attitude and behaviour. These three traits can be assessed under the following eight focus areas to check employee resilience to cybersecurity: IS policy adherence, password management, email use, internet use, social media use, mobile devices, information handling and incident reporting. Employees are required to answer questions formulated under these focus areas to facilitate the evaluation of their awareness level. For the water sector in 4 particular, the less compromised the water infrastructure is, the more at ease the employees and the community can be, so it is crucial to improve the awareness of the first line of defence against cyber-attacks.
M.Eng. (Engineering Management)