Human aspects of information security questionnaire (HAIS-Q) – Croatian translation and validation

The most vulnerable aspect of the information security system is the human factor. Therefore, information security awareness (ISA) among employees is the key to mitigating risk and protecting organizations from social engineering and cyber attacks. The aim of this research was to adapt and validate the Human Aspects of Information Security Questionnaire (HAIS-Q) on the Croatian population to get a fast, cost-efficient, comprehensive, work behavior-oriented ISA assessment method. The HAIS-Q based on the knowledge-attitudes-behavior model (KAB) was taken for that purpose. Each assessment area in HAIS-Q (knowledge, attitudes and behavior) consists of seven focus areas which represent specific areas of human aspects of IS. The validation of the questionnaire was carried out in three phases. In the first phase, the questionnaire was translated and adapted in collaboration with psychologists, translators and experts in IS. In the second phase, a pilot study was conducted on 18 participants, and some items were simplified and certain terms changed. In the third phase, the main study was conducted to further check the validity, reliability and sensitivity of the questionnaire. All of those parameters were found satisfactory. The responses on individual items are distributed in the full range of possible responses, which shows good sensitivity. Cronbach’s Alpha coefficients indicate that the scales measure the same construct, which shows high reliability. Pearson correlation coefficients that show correlation between the HAIS-Q results and risk behavior assessments, as well as between the HAIS-Q results and the Users’ Information Security Awareness Questionnaire (UISAQ) results, indicate good validity. Therefore, the results indicate that the questionnaire can be used for a simple and quick assessment of ISA and as a basis for improving IS. The collected data enable an overview of the greatest risks of IS within the framework of human aspects in an organization, which can be used for education, improvement of existing security measures of the organization or development of new ones. Shortcomings and recommendations for further development are listed.