Table 13.
Questions in the employee and student versions of HAIS-Q
| Ver. | Knowledge | Attitude | Behaviour |
|---|---|---|---|
| Focus area: Password management | |||
| Employees | It’s acceptable to use my social media passwords on my work accounts. | It’s safe to use the same password for social media and work accounts. | I use a different password for my social media and work accounts. |
| I am allowed to share my work passwords with colleagues. | It’s a bad idea to share my work passwords, even if a colleague asks for them. | I share my work passwords with colleagues. | |
| A mixture of letters, numbers and symbols is necessary for work passwords. | It’s safe to have a work password with just letters. | I use a combination of letters, numbers and symbols in my work passwords. | |
| Students | It’s acceptable to use my social media passwords on my study accounts. | It’s safe to use the same password for social media and study accounts. | I use a different password for my social media and study accounts. |
| I am allowed to share my study passwords with classmates. | It’s a bad idea to share my study passwords, even if a classmate asks for them. | I share my study passwords with classmates. | |
| A mixture of letters, numbers and symbols is necessary for study passwords. | It’s safe to have a study password with just letters. | I use a combination of letters, numbers and symbols in my study passwords. | |
| Focus area: Email use | |||
| Employees | I am allowed to click on any links in emails from people I know. | It’s always safe to click on links in emails from people I know. | I don’t always click on links in emails just because they come from someone I know. |
| I am not permitted to click on a link in an email from an unknown sender. | Nothing bad can happen if I click on a link in an email from an unknown sender. | If an email from an unknown sender looks interesting, I click on a link within it. | |
| I am allowed to open email attachments from unknown senders. | It’s risky to open an email attachment from an unknown sender. | I don’t open email attachments if the sender is unknown to me. | |
| Students | I am allowed to click on any links in emails from people I know. | It’s always safe to click on links in emails from people I know. | I don’t always click on links in emails just because they come from someone I know. |
| I am not permitted to click on a link in an email from an unknown sender. | Nothing bad can happen if I click on a link in an email from an unknown sender. | If an email from an unknown sender looks interesting, I click on a link within it. | |
| I am allowed to open email attachments from unknown senders. | It’s risky to open an email attachment from an unknown sender. | I don’t open email attachments if the sender is unknown to me. | |
| Focus area: Internet use | |||
| Employees | I am allowed to download any files onto my work computer if they help me to do my job. | It can be risky to download files on my work computer. | I download any files onto my work computer that will help me get the job done. |
| While I am at work, I shouldn’t access certain websites. | Just because I can access a website at work, doesn’t mean that it’s safe. | When accessing the Internet at work, I visit any website that I want to. | |
| I am allowed to enter any information on any website if it helps me do my job. | If it helps me to do my job, it doesn’t matter what information I put on a website. | I assess the safety of websites before entering information. | |
| Students | I am allowed to download any files onto my study computer if they help me to do my job. | It can be risky to download files on my study computer. | I download any files onto my study computer that will help me get the job done. |
| While I am at school, I shouldn’t access certain websites. | Just because I can access a website at school, doesn’t mean that it’s safe. | When accessing the Internet at school, I visit any website that I want to. | |
| I am allowed to enter any information on any website if it helps my study. | If it helps my study, it doesn’t matter what information I put on a website. | I assess the safety of websites before entering information. | |
| Focus area: Social media use | |||
| Employees | I must periodically review the privacy settings on my social media accounts. | It’s a good idea to regularly review my social media privacy settings. | I don’t regularly review my social media privacy settings. |
| I can’t be fired for something I post on social media. | It doesn’t matter if I post things on social media that I wouldn’ t normally say in public. | I don’t post anything on social media before considering any negative consequences. | |
| I can post what I want about work on social media. | It’s risky to post certain information about my work on social media. | I post whatever I want about my work on social media. | |
| Students | I must periodically review the privacy settings on my social media accounts. | It’s a good idea to regularly review my social media privacy settings. | I don’t regularly review my social media privacy settings. |
| I can’t be fired for something I post on social media. | It doesn’t matter if I post things on social media that I wouldn’ t normally say in public. | I don’t post anything on social media before considering any negative consequences. | |
| I can post what I want about study on social media. | It’s risky to post certain information about my study on social media. | I post whatever I want about my study on social media. | |
| Focus area: Mobile devices | |||
| Employees | When working in a public place, I have to keep my laptop with me at all times. | When working in a café, it’s safe to leave my laptop unattended for a minute. | When working in a public place, I leave my laptop unattended. |
| I am allowed to send sensitive work files via a public Wi-Fi network. | It’s risky to send sensitive work files using a public Wi-Fi network. | I send sensitive work files using a public Wi-Fi network. | |
| When working on a sensitive document. I must ensure that strangers can’ t see my laptop screen. | It’s risky to access sensitive work files on a laptop if strangers can see my screen. | I check that strangers can’t see my laptop screen if I’m working on a sensitive document. | |
| Students | When working in a public place, I have to keep my laptop with me at all times. | When working in a café, it’s safe to leave my laptop unattended for a minute. | When working in a public place, I leave my laptop unattended. |
| I am allowed to send sensitive study files via a public Wi-Fi network. | It’s risky to send sensitive study files using a public Wi-Fi network. | I send sensitive study files using a public Wi-Fi network. | |
| When working on a sensitive document. I must ensure that strangers can’ t see my laptop screen. | It’s risky to access sensitive work files on a laptop if strangers can see my screen. | I check that strangers can’t see my laptop screen if I’m working on a sensitive document. | |
| Focus area: Information handling | |||
| Employees | Sensitive print-outs can be disposed of in the same way as non-sensitive ones. | Disposing of sensitive print-outs by putting them in the rubbish bin is safe. | When sensitive print-outs need to be disposed of, I ensure that they are shredded or destroyed. |
| If I find a USB stick in a public place, I shouldn’t plug it into my work computer. | If I find a USB stick in a public place nothing bad can happen if I plug it into my work computer. | I wouldn’t plug a USB stick found in a public place into my work computer. | |
| I am allowed to leave print-outs containing sensitive information on my desk overnight. | It’s risky to leave print-outs that contain sensitive information on my desk overnight. | I leave print-outs that contain sensitive information on my desk when I’m not there. | |
| Students | Sensitive print-outs can be disposed of in the same way as non-sensitive ones. | Disposing of sensitive print-outs by putting them in the rubbish bin is safe. | When sensitive print-outs need to be disposed of, I ensure that they are shredded or destroyed. |
| If I find a USB stick in a public place, I shouldn’t plug it into my study computer. | If I find a USB stick in a public place nothing bad can happen if I plug it into my study computer. | I wouldn’t plug a USB stick found in a public place into my study computer. | |
| I am allowed to leave print-outs containing sensitive information on my desk in the dormitory overnight. | It’s risky to leave print-outs that contain sensitive information on my desk in the dormitory overnight. | I leave print-outs that contain sensitive information on my desk in the dormitory when I’m not there. | |
| Focus area: Incident reporting | |||
| Employees | If I see someone acting suspiciously in my workplace, I should report it. | If I ignore someone acting suspiciously in my workplace, nothing bad can happen. | If I saw someone acting suspiciously in my workplace, I would do something about it. |
| I must not ignore poor security behaviour by my colleagues. | Nothing bad can happen if I ignore poor security behaviour by a colleague. | If I noticed my colleague ignoring security rules, I wouldn’t take any action. | |
| It’s optional to report security incidents. | It’s risky to ignore security incidents, even if I think they’ re not significant. | If I noticed a security incident, I would report it. | |
| Students | If I see someone acting suspiciously in my school, I should report it. | If I ignore someone acting suspiciously in my school, nothing bad can happen. | If I saw someone acting suspiciously in my school, I would do something about it. |
| I must not ignore poor security behaviour by my classmates. | Nothing bad can happen if I ignore poor security behaviour by a classmate. | If I noticed my classmate ignoring security rules, I wouldn’t take any action. | |
| It’s optional to report security incidents. | It’s risky to ignore security incidents, even if I think they’re not significant. | If I noticed a security incident, I would report it. | |
Participants respond to each item on a five-point scale from”Strongly Disagree” to “Strongly Agree”