A Quantitative Study on Japanese Workers’ Awareness to Information Security Using the Data Collected by Web-Based Survey

,


INTRODUCTION
It is indisputable that the Internet evolves the individual's life style and the business form in the advanced information society. Especially, by many empirical analyses of Information Technology (IT) it is verified that IT investment contributes to improve not only business performance such as productivity and efficiency, but also GDP and economic growth rate. In other words, by investing in IT asset and introducing IT into business, various positive economic effects are brought. In addition, digitalizing information is promoted in order to use it effectively. In advanced information society many of researchers focused on only such positive economic effects. However, enterprises and individuals are confronted with serious problems. One of them is damage by information security incidents such as illegal access, malware and phishing deal a serious blow to the business. For example, in Japan it is pointed out that compared with the cases of past information leakage, amount of individual and/or secret information run off via the networks becomes enormous (Japan Network Security Association, 2008). To prevent from these damages, many enterprises take various information security countermeasures.
We have much academic researches on information security technology such as cryptographic technology and secured networking in the field of natural science. These accumulated researches achieve a constant result. On the other hand, the researches in the field of social sciences such as economics and business management were not conducted until around 2000. Pioneer and representative researches include theoretical models of information security countermeasures and investment from the viewpoint of economics and management science (Gordon and Loeb, 2002;Varian, 2002). In addition, they discuss the incentive to take information security countermeasures. Hereafter, many researches enhance the above models (Gordon et al., 2003;Gordon and Loeb, 2006).
Particularly, there are few empirical studies on information security. Primary reasons among various ones are that there is no data on information security countermeasures and we cannot easily use the data even if the data exist. Therefore, empirical analysis in economics of information security is still in the state of exploratory now at least. It is necessary to accumulate the research from not only promotion of academic research but also the social role. In Japan, organizations such as Cyber Clean Center, Japan Data Communications Association, Japan Network Security Association and Information-technology Promotion Agency collect and accumulate the data on information security countermeasures and incidents. There are some empirical researches using such data in Japan. For instance, there is an empirical research using data of investigation of actual conditions of processing of information and analyze the information security countermeasures in Japanese firms (Liu et al., 2007). Besides this, some researchers accumulate the data by themselves (Takemura, 2009;Takemura and Minetaki, 2009). They use data collected by the survey and analyze effect of the information security countermeasures in Japanese firms. In each research, subjects of these surveys are Japanese firms. Of course, it may be enough to analyze the effect of the information security countermeasures on technologies and management by using aggregated level data such as office and enterprise. Such research have limit because we cannot grasp each worker's awareness to information security, which is important factor. Analyses from the viewpoint of the worker's awareness to information security have appeared (Albrechtsen, 2007;Albrechtsen and Hovden, 2009;Takemura, 2009). Albrechtsen (2007) analyzes the effectiveness of information security countermeasures qualitatively by using data of their interview studies (Albrechtsen, 2007;Albrechtsen and Hovden, 2009). On the other hand, Takemura (2009) analyzes countermeasures by using data collected through Web-based surveys that they conducted themselves (Takemura, 2009). In these researches, it is pointed out that it is meaningless for enterprise to just take the formal countermeasures systematically if the level of awareness to information security is not enough high.
In this study, we analyzes Japanese workers' awareness to information security based on various attributes such as working pattern, organization attributes and individual attributes. Next, we discuss the effective countermeasures through the results of analysis. This result would possess not only academic significance, but also business and political significance.

MATERIALS AND METHODS
Our web-based survey: As mentioned above, at first when we analyze the data on information security countermeasures and investment, we face on scant of the data. In addition, from feature of the research, individual data is needed, but not aggregated data. We analyze the workers' awareness to information security using the data collected through the Web-based survey "investigation on workers' Internet usage and awareness to information security", conducted in March 2009. Subjects of this survey are Japanese people who have been working for more than two years in enterprises. The number of the sample is 600. The sample in this survey is arranged by working pattern and listed/non-listed enterprises as in Table 1. Table 2 shows basic statistics on indexes of workers' awareness to information security. We investigate awareness to information security by dividing the four kinds of indexes roughly as: (1) recognition concerning individual information, (2) recognition concerning countermeasures and (3) moral awareness of information use. Each index is ordinal scale data and the values are assigned between 1 and 5. The index assigns a small value if the recognition is poor. Inversely, the index assigns a large value if the recognition is rich. Table 3 shows information on some attributes used as categories. The contents are divided roughly into three kinds of categories: (1) working patterns, (2) organizational attributes and (3) individual attributes. Furthermore, each category has some subcategories.
Hypotheses: From general damage caused by information security incidents, it is clear that the workers' awareness to information security differs according to attributes such as working pattern and organization attributes. Up until now, generally in many surveys, merits of IT usage have been analyzed. However, these merits and awareness to information security have not been quantitatively verified. Therefore, in this study, we examines whether or not the awareness to information security is different by attributes based on the categories in Table 3. He sets up the following hypotheses: (H1) there is no difference in awareness on the information security by working pattern; hypothesis (H2) there is no difference in awareness on the information security by organization attributes and hypothesis (H3) there is no difference in awareness on information security by individual attributes.
Analysis: First, we examines whether hypotheses H1, H2 and H3 are uniform. So, we can examine the level of information security in each group by using median of the groups. Note that a possibility arises such that information security may be kept at a low level even if the awareness of the information security is uniform.  Age 1: One's twenties 2: One's thirties 3: One's forties 4: One's fifties 5: One's sixties The Internet terms of use 1: Less than one year 2: 1-2 years 3: 2-3 years 4: 4-5 years 5: 6-7 years 6: 8-9 years 7: More than 10 years Education about information 1: Not educated 2: Some formal training and/or the university. security It is important for all workers in society to keep the awareness to information security at high level. Even if many users with a rich awareness of the information security exist, the level of information security in society in general becomes low if even a few users with poor awareness exist. If these hypotheses are verified according to human social factors in addition to quantitative verification, we should be able to reach an understanding of a true security level. We expect that there will be no difference in awareness of the information security by attributes in the subcategories in Table 3 excluding degree of infrastructure.  have explained forms with a high degree of infrastructure will require higher security levels than in firms with a lower level of infrastructure. Therefore, we expect that there will be a difference in awareness of information security by the degree of infrastructure. And, we can check the level of information security in each group by using the average value and the median of the groups. In order to verify this hypothesis, an Analysis Of Variance (ANOVA) is run.
Before running ANOVA, we need to check whether or not data follows a normal distribution. We have various kinds of tests of normality. Generally, the Kolmogorov-Smirnov test and the Shapiro-Wilk test are accepted as more reliable among various tests. In these tests, the null hypothesis represents data that does not follow a normal distribution. Therefore, if the significance probability is less than 5%, the null hypothesis cannot be rejected and we can conclude that the data do not follow a normal distribution. Oppositely, if the data follows a normal distribution, we can reject the null hypothesis. Table 4 shows the result of the Kolmogorov-Smirnov test and the Spapiro-Wilk test.
From Table 4, it is found that data in this study does not follow a normal distribution because we cannot reject the null hypothesis. Unfortunately, we cannot run ANOVA by a parametric method such as the t-test and/or Tukey test. Therefore, we should run ANOVA based on a non-parametric method. Concretely, we examine whether or not we have a difference in the median, not in the average, in each category. As a feature of the non-parametric method, data is assumed not to follow the normal distribution and we can use (questionnaire) data with an ordinal scale. Hereafter, we run four kinds of test (ANOVA) according to the categories in Table 3: The Mann-Whitney test, the Wilcoxon test and the Kruskal-Wallis test. Next, we explain briefly the procedure of each test. Refer to (Wasserman, 2007) for details of ANOVA based on a non-parametric method.
First, the Mann-Whitney test (Mann-Whiteney's U test) and the Wilcoxon test are rank sum tests that examine the difference of the median between two groups. In these tests, we use the rank sum of data arranged in ascending order, not the observed data. The test statistics are U and W statistics. Note that we calculate the statistics by using the average rank if there is the same order in data. From these statistics, we calculate the Z-value by using standard deviation and average value. Because the distributions of U and W approximately follow the normal distribution, we can obtain asymptotic significant probabilities from the standard normal distribution table. Incidentally, the null hypothesis in either test is that there is no difference in the median of two groups.
Next, the Kruskal-Wallis test is a rank sum test that examines the difference of the median between more than three groups. Test statistics in this test are calculated by using data arranged in ascending order as well as the Wilcoxon test. We can calculate H statistics and then obtain the asymptotic significant probabilities because the distribution of H statistics approximately follows the chi-square distribution of degree of freedom K-1.  Then, we can obtain the asymptotic significant probabilities from the standard normal distribution table because the distributions of these statistics approximately follow the normal distribution. Incidentally, the null hypothesis in either test is that there is no difference in the median of each group (more than three groups).

RESULTS AND DISCUSSION
Table 5-20 are results of analysis. From results of analysis, it is found that the workers' awareness to the information security is different by many attributes. In Table 5-20, *, ** and *** represent that p<10%, p<5% and p<1%, respectively.        First, as a working pattern, differences in the median of X1, X25 and X31 in Table 5 are at a 1-5% significance level. From the Mann-Whitney test in Table 5 and the statistics in each subcategory, we cannot strictly claim that there is relationship between awareness to information security and regular and nonregular working patterns because the bigness and smallness of the medium is different in each subcategory.    Next, in organizational attributes (Table 6-17) we have the differences in the median of many of the subcategories at a 1-10% significance level. Clearly, there are differences in the awareness to information security of workers who belong to organizations that have either some motivational systems or prohibited matter as countermeasures.    Table 13-17 and the statistics in each subcategory, awareness to the information security of workers who belong to organizations with some motivational systems is higher rather than that of workers who belong to organizations without the system. This might imply that the motivational system contributes to improving awareness to information security. In addition, we verify that awareness to the countermeasures of workers in a listed firm is higher than of workers in a non-listed firm. From the Kruskal-Wallis test in Table 6-12 and the statistics in each subcategory, we can only know that the awareness to the information security of workers is different. Furthermore, as individual attributes (Table 18-20), we have a few differences in the median of subcategories excluding information security and in the educational settings. This implies that education about information security changes the workers' awareness of countermeasures. From the Mann-Whitney test in Table  20 and the statistics in each subcategory, workers who received education on information security have a higher recognition of countermeasures than the other users including self-educated users. Therefore, education in information security is clearly very important.
Finally, we check the three hypotheses. As a result of ANOVA, each hypothesis cannot be affirmed. In order to achieve a higher level of Japanese workers' awareness to information security, we need to discuss countermeasures and strategies in the firm and/or in the government in the future.

CONCLUSION
In this study, we examine whether or not there are differences of Japanese workers' awareness on information security based on various attributes by using ANOVA based on non-parametric method. As a result, it is found that Japanese workers' awareness to information security is different in its attributes such as organizational attributes and the education about information security measures. They experience a difference in awareness in organizations that offer motivation and prohibit certain countermeasures. This implies that their awareness to information security and the countermeasures are affected by the environment of the organization.
The author claims that as some systems to motivate in order to take information security countermeasures we need to enhance to information security education, not just introducing IT tools. This implies that enhancing to information security education would be efficient information security countermeasure in firm.
Researches on the "economics of information security" are not only meaningful in the social sciences, but also essential in real business activities. Therefore, this type of researches needs to accumulate. We will continue to research the social and economic effects of information security countermeasures and investment quantitatively. This will be one of our future endeavors. In this study, we run ANOVA based on non-parametric method, but the information obtained from the results is still not enough as materials for countermeasure examination. By using various social survey methods, we will also continue to research information security countermeasures and investments from the viewpoints of economics and business.
Finally, the author hopes that this study will become an academic contribution to business and economics and will help to give the incentive for firms to invest in and take information security countermeasures.