c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

Available online at www.sciencedirect.com

ScienceDirect
journal homepage: www.elsevier.com/locate/cose

Smartphone information security awareness:

A victim of operational pressures5
Sean Allam a, Stephen V. Flowerday a,*, Ethan Flowerday b
a
b

Information Systems Department, University of Fort Hare, 50 Church Street, East London 5200, South Africa
Kings College, University of London, United Kingdom

article info

abstract

Article history:

Smartphone information security awareness describes the knowledge, attitude and behaviour

Received 16 August 2013

that employees apply to the security of the organisational information that they access, process

Received in revised form

and store on their smartphone devices. The surge in the number of smartphone devices con-

16 January 2014

necting to organisational systems and used to process organisational data has enabled a new

Accepted 20 January 2014

level of operational efficiency. While employees are aware of the benefits they enjoy by bringing
their personal devices into the workplace, managers too are aware of the benefits of having a

Keywords:

constantly connected workforce. Unfortunately, those aware of the risks to information se-

Smartphone

curity do not share an equal level of enthusiasm. These devices are owned by employees who

Information security

are not adequately skilled to configure the security settings for acceptable security of that in-

Awareness

formation. Moreover, routine information security awareness programmes, even if applied,

Bring your own device (BYOD)

gradually fade into the daily rush of operations from the day they are completed.

Mobile computing

This paper explores the factors which influence these oscillating levels of information
security awareness. By applying an adapted version of an awareness model from the
domain of accident prevention, the factors which cause diminishing awareness levels are
exposed. Subsequently, information security awareness emerges as a symptom of such
factors. Through geometrical modelling of the boundaries and pressures that govern our
daily operations, an awareness model emerges. This model ensures that organisations are
better equipped to monitor their information security awareness position, their boundaries
and the daily pressures affecting the organisation, thus allowing them to design better
integrated policies and procedures to encourage safe operating limits. The model is evaluated using a theory evaluation framework through an expert review process.
2014 Elsevier Ltd. All rights reserved.

1.

Introduction

A myriad of devices accompany employees, contractors,

business partners and other stakeholders into organisations

daily as part of the bring your own device (BYOD) phenomenon. Smartphone devices are often the personal property of
the users, but are increasingly being used to access and process organisational information in addition to personal information. However, users are often unaware of the risk these

5
This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial-No Derivative
Works License, which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and
source are credited.
* Corresponding author. Tel.: 27 43 7047071.
E-mail address: sflowerday@ufh.ac.za (E. Flowerday).
0167-4048/$ e see front matter 2014 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.cose.2014.01.005

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

devices introduce or, even if they have some degree of

awareness, how to mitigate these risks. This situation is
exacerbated by the fact that smartphone owners are solely
responsible for the ultimate administration of their own devices. Research by the Ponemon (2012) institute found that in
the past three years mobile devices have become a major
threat for 73% of their respondents, up from only 9% in 2010. A
study by Cisco (2013) found that almost 40% of smartphone
users do not have a password enabled on their device. A
similar study by PricewaterhouseCoopers (2012) estimated
that as many as one in three small businesses, and 75% of
large businesses, allow smartphones and tablets to connect to
their systems, many without taking any steps to mitigate
potential risk.
Theoharidou et al. (2012) list many the different types of data
that may be stored on smartphone devices, including personal,
business, government, financial, authentication and connection or service data. This combination of data stored on personal devices raises the risks for organisations in terms of
having their information, or that of their clients, compromised.
Compromised data may result in identity theft, the loss of
corporate trade secrets or in another undesirable outcome. This
information is not protected by organisational security when it
exists on personal devices. Information which for many years
found protection behind firewalls, servers and other security
controls is being exposed by end users who are not adequate in
their actions to protect their personal devices.
In the academic literature, information security awareness
has been promoted as a means of reducing security risk across
a number of threat areas. Kruger and Kearney (2006),
Eminagaoglu et al. (2009), Albrechsten and Hovden (2010),
and Bulgurcu et al. (2010) all promote awareness as a means of
reducing security risk. These authors explain that increasing
awareness influences behaviour, which ultimately reduces
risk by focussing on the user and not the device. Unfortunately,
as security risk areas are continuously changing and evolving,
existing awareness quickly becomes obsolete, and therefore
ineffective, with behaviour having been found to slowly
migrate back to higher risk patterns. This degenerative
migration takes place without malicious intention. It has also
been found that, as the operating environment changes and as
risk changes, awareness levels are found to adjust accordingly.
The paper begins by introducing an existing awareness
model from Rasmussen (1997), and builds on prior adaptations of this model for the purposes of improving smartphone
information security awareness. Although some findings may
be applicable to other mobile devices, the assessment is targeted at smartphone devices for the purpose of specifically
refining the scope of the model assessment phase. Following
the introduction of the adapted model, an assessment
framework is introduced and the components of this framework are applied to the adapted model. The purpose of this
framework is to ensure that the adapted model satisfies the
criteria for a theory in the information systems domain. The
paper follows by assessing the components of the adapted
model and the way the model components apply to both the
problem area (smartphone security awareness) and the model
validation framework criteria. Finally, the paper concludes
with a new theoretical model in the field of smartphone information security awareness.

57

This model provides organisations with a better understanding of the impact that operational pressures have on
smartphone information security awareness, allowing for the
improvement of policy relating to those elements. Mahesh and
Hooter (2013) note the importance of not only providing organisational policy to govern the use of smartphone devices by
employees, but also explaining the purpose and intention of the
policy to the employees. The paper shows how seemingly positive efforts to improve operational efficiencies may actually be
the cause of incidents, with lowered levels of user awareness in
fact being one of the symptoms of a broader set of influencing
factors. This is illustrated by the geometrical transformation of
an established awareness model from the domain of accident
prevention. In using this model, policy makers will be better
equipped to understand the relationship between the forces at
play that influence smartphone information security awareness.

2.

Background: the awareness conundrum

Security awareness programmes are often instituted to raise

the level of participants awareness of risk factors in a specific
risk area. Unfortunately, improved understanding of the risk
associated with a specific area does not guarantee any specific
outcomes. Kruger and Kearney (2006) explain the following
factors which should result from addressing awareness levels
in an organisation:
 Knowledge: what people know
 Attitude: what people think
 Behaviour: what people do
Awareness programmes are instituted to improve these
factors in the hope that information security risk will be
reduced. Rasmussen (1997) notes that while improved
awareness levels may provide temporary relief from risk, over
time employees find themselves returning to previous levels
through either productivity or workload pressures.
Rasmussen (1997) warns that efforts to produce a safety culture will be never-ending because they are only effective as
long as a continuous set of pressure is compensating for the
functional pressure of the work environment. This effect is
most notable in once-off awareness programmes, as
awareness levels diminish post event due to routine organisational pressures. This points to the existence of external
influencing factors which contribute to the information security awareness level at an organisation.
Smartphone information security awareness determines
the level of knowledge employees and managers of an organisation possess relating to the mobile security of the information contained on such devices. Further to this it defines
the attitude which these groups respond to the knowledge
that they possess, and what specific behaviour they take in
response to their combined attitude and knowledge. The
awareness level includes these factors as they relate not only
to the device and its capabilities, but also the changing context
within which the device is being used as a mobile user travels
throughout the day. Current awareness efforts focus on once
off training with very little monitoring of organisational
behaviour in the long term.

58

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

Organisations are in need of a more integrated and lasting

solution to employee awareness; one in which awareness efforts contribute to an improvement in the organisational
culture. Accordingly, an improved organisational culture
embeds security as part of the way things are done.
Albrechsten and Hovden (2010) explain that because behaviour is a direct product of awareness, it follows that mature
awareness leads to modified behaviour. However, this requires holistic support from all employees and stakeholders
working within the organisation. Accordingly, the Awareness
Boundary Model described in the following section forms the
foundation for an adapted smartphone security awareness
boundary model. The model also introduces external factors
which influence the information security awareness level.

2.1.

The awareness boundary model

Rasmussen (1997) provides the Awareness Boundary Model as

a means to illustrate the cause of accidents in dynamically
changing environments. The model, which is illustrated in
Fig. 1, explains how undesirable events can take weeks,
months or even years to surface, as a result of regular and
routine workplace pressures. These routine pressures are
explained as dynamic driving forces of human behaviour to
resist the breach of unfavourable boundary conditions in a
work system. The three boundary conditions are unacceptable workloads, economic failure, and functional acceptance.
Rasmussen (1997) separates employees and other stakeholders into two groups, those in management and those who
are not in management. He associates each group with the
economic failure boundary and unacceptable workload
boundary respectively. Managers will be inclined to resist
economic failure and employees to resist unacceptable workloads. Each of these is referred to below as a social boundary
in the adapted awareness boundary model. The two central
arrows in Fig. 1 represent the gradient pressure of each of these
groups away from the social boundaries towards functional
acceptance, the third boundary. Rasmussen (1997) warns that
if allowed to continue unabated, these gradients may eventually breach the functional acceptance boundary, at which point
he warns of undesirable circumstances taking place.

As an example, at an organisation smartphone users might

wish to reduce their work effort by disabling or deactivating
the access password on their smartphones. In one recent
study, Cisco (2013) found this scenario to be as high as 39% of
users. Users do this to avoid having to perform undesirable
additional steps (password entry) when accessing their device
frequently. In the process they are applying pressure away
from the unacceptable workload boundary. Botha et al. (2009)
also found that smartphone users are of the opinion that periodic re-authentication is intolerable on smartphone devices,
although this is widely accepted on traditional desktop and
laptop devices.
To increase productivity, managers might insist that
operational activities be permitted for smartphone devices.
This results in a gradient pressure away from the economic
failure boundary as organisations push to increase the pressure on employees to work. Mylonas et al. (2013) caution that
normal users are simply not able to make satisfactory security
decisions, nor are they able to use security controls
adequately. In their research, PricewaterhouseCoopers (2012)
found that, on average, only 8% of an organisational IT
budget is being allocated to security spend and that such
spend is still being viewed as an undesirable expense.
Therefore, the drive to increase productivity by providing access to organisational information is not being adequately
protected due to the inability of users to secure their devices.
The combination of these gradient pressures (the arrows
from the social boundaries in Fig. 2) will see the organisation
move towards the boundary of functional acceptance. This
boundary represents the point at which the organisation is
both optimised and safe. The original model shows that an
increased risk of accidents may occur if the organisation
operates at a point outside the boundary of functional
acceptance. In the example provided above, accidents may
occur in the form of smartphone information security incidents or breaches. Theoharidou et al. (2012) list personal
information disclosure, legislation violation, contractual
breach, commercial and economic interests, financial loss,
public order, international relations, business policy and operations, loss of goodwill/reputation, personal safety, annoyance and so forth as examples of the type of security incidents
and breaches which may occur.

2.2.
An adaptation for smartphone information security
awareness

Fig. 1 e Awareness boundary model (Rasmussen, 1997).

Portokalidis et al. (2010) and La Polla et al. (2013) both caution

that traditional PC-oriented security solutions are not always
applicable or do not offer comprehensive security for smartphone devices. Caldwell (2011) explains that mobile device
management practices are still less mature than those of
other technologies. As a result of the large number of different
devices, operating system versions, applications and vendors,
providing a universal technical set of security controls becomes very complex and expensive. Mylonas et al. (2013)
highlight this, adding that in most circumstances the burden
of making security decisions lies with the device owner. For
this reason, the Awareness Boundary Model has been selected
to target the knowledge, and ultimately the behaviour, of the
smartphone user and not any specific device, vendor or

59

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

smartphone devices, employees might find themselves pressured or pushed over the boundary of unacceptable smartphone operations. This would ultimately result in resistance
from employees towards smartphone operations.
At the boundary of functional acceptance of smartphone
usage, the risk of breaching the boundary of economic feasibility or the boundary of unacceptable workload is minimised,
and the pressure from the social gradients is maximised. At a
position on or very near this boundary, operations are optimised. Although optimised, risk increases as the organisation
moves closer to the boundary. Rasmussen (1997) warns that
this is because operating outside this boundary places the
organisation at increased risk of experiencing an information
security incident.
Fig. 2 e Smartphone awareness boundary model (Allam
and Flowerday, 2011, adapted from Rasmussen, 1997).

3.
operating system. This model positions smartphone information security as the victim of the operational pressures
highlighted by the model. These pressures should be the
target of smartphone security policy, not the devices.
As provided by Rasmussen (1997), the Awareness Boundary
Model is very broadly applicable. Through prior adaptation
(Allam and Flowerday, 2011) of Rasmussens (1997) Awareness
Boundary Model, the model boundaries have been refined in
order to address specifically the awareness of smartphone
information security. In addition, by applying General Systems Theory (Von Bertalanffy, 1950), an awareness feedback
loop is included to promote feedback as a mechanism for
promoting perpetuity in the application of the model. Tankard
(in Mansfield, 2013) states that although many organisations
do have some level of security in place, they very often fail to
react adequately to what these systems are telling them.
Table 1 provides a description of the adapted version of
each boundary for targeting smartphone operations at an
organisation (Allam and Flowerday, 2011):
The adapted model provides three boundaries with similar
consequences to the boundaries found in the original model.
These three boundaries effectively provide the safe operating
space for smartphone operations within an organisation. In
the event that one of the gradient boundaries (social boundaries) is breached, smartphone operations will become unsustainable. For example, where management applies
excessive pressure on users to perform operations using their

Model validation as a theory

The Awareness Boundary Model has never before been

adapted for the purpose of improving smartphone security
awareness. Therefore, a process of evaluation is required to
determine the quality of the adaptation to the model as a
means of improving smartphone information security
awareness. Wallis (2008) points out that although social
theory may be difficult or impossible to test or falsify,
practice cannot be entirely free from theory. Weber (2012)
provides a framework for assessing the quality of an information systems theory where practical testing might be
difficult or impossible. He also notes that this framework
can be applied to any model that displays the characteristics required in order for a model to be assessed as a theory.
Experts must apply critical thought to the conceptual
overview of the model and comment until a consensus is
reached that the model is effective in addressing its focal
phenomenon.
Weber (2012) explains that models can be evaluated as a
theory if they satisfy specific criteria for high-quality parts
and a high-quality whole. Wallis (2008) concurs, stating that
for a theory to be considered effective it must be subject to
both internal and external testing. Weber (2012) provides four
parts that have to be in place for the proper assessment of a
theory. These four parts are constructs, associations, states
and actions. In addition he provides four elements of the
whole which are necessary to assess. These whole elements
are Parsimony, Level, Importance, Falsifiability and Novelty.

Table 1 e Adapted boundaries.

Original boundary

Adapted boundary

The boundary of unacceptable

workload

The boundary of unacceptable

smartphone operation

The boundary of economic failure

The boundary of economic

smartphone feasibility

The boundary of functional

acceptance

The boundary of functional

acceptance of smartphone usage

Description

Social boundary

Points at which the use of

smartphone devices require
a workload effort higher than
the perceived benefits of such use
Points at which the economic
benefit of smartphone usage
is lower than the cost of such
activities
Represents the optimum points
of safe smartphone usage

Yes

Yes

No

60

3.1.

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

Determination of constructs and their attributes

Before the state space can be determined, the constructs of a

theory or model must be defined. Constructs are defined by
Weber (2012) as the attributes in general of classes of things,
that is, the groupings of entities from the real world at which
the model is targeted. Essentially, what are the things that are
represented by the model, and what attributes of those things
are observed? The model targets information security
awareness for smartphone usage and not the device specifically. This means that the device user is the primary focus of
the model. When applied to the adapted boundary model, the
constructs target the following classes of individuals:
 non-managers, who are the employees that are found to
use or own smartphone devices in the workplace
 managers, who are responsible for workers that utilise
smartphone devices in their operational activities
 all employees and third parties, who are the collective
workforce responsible for the daily operations at an
organisation

3.2.

formulae (representing the relationships between attributes),

which are provided in section 4.5.

4.

A state space exploration triangle

In order to detail the state space which exists in the adapted

Awareness Boundary Model, each of the constructs must be
provided with a set of states. This allows the model to be
assessed while varying the state of each of the constructs to
see how the system responds. In order to assist in exploring
the components of the model, it is configured in Fig. 4 as a
geometrically consistent equilateral triangle. Each side of the
equilateral triangle represents one of the three boundaries of
the adapted Awareness Boundary Model. Careful attention
ensures that none of the key concepts of the model is lost
through the new geometric representation of the original
model. This section will begin by explaining the geometric
transformation performed on the adapted model, followed by
an exploration of the geometric state space of the model. The
triangle is provided to assist in the state space exploration of
the model and not to replace the adapted model.

Attribute associations and events

4.1.

Rasmussen (1997) indicates that relationships (associations)

between constructs define the reaction that one construct will
have following changes (events) to the state of another
construct. Accordingly, the three constructs can be related
through associations of their own attributes or the attributes
of another construct. Fig. 3 illustrates the placement of each of
the five construct attributes on the adapted model. The attributes of productivity, workload and functional acceptance are
continuums which exist along each of the three boundaries,
while work pressure and work effort are aligned to the two
gradients angled towards functional acceptance. Any event
which alters the state of one of these attributes (increasing or
decreasing it) results in changes to other attributes, and a
possible adjustment to the awareness position of the organisation within the model. The change can be determined using

An equilateral triangle provides a similar shape to the original

model, although geometric accuracy is improved in comparison with the original sketched model. The properties of an
equilateral triangle make it a perfect candidate for performing
an assessment of the behavioural characteristics of the
adapted Awareness Boundary Model. The three equal sides
are easily represented as the boundaries of the Awareness
Boundary Model, and they allow a common state legend to be
associated with each of the boundary continuums (the equal
length along each side). Using perpendicular lines of intersection from any point on both of the social boundaries, an
intersection point will be met at a third perpendicular line of
intersection from the functional acceptance boundary. The
central intersection point of any three lines of intersection
from the boundaries provides an awareness point for the
boundary model that corresponds to three respective boundary intersection values.

4.2.

Fig. 3 e Attributes in general, applied within the adapted

model.

Model geometrical transformation

Model boundaries explanation

The boundaries from Fig. 3 are represented by the equal sides

of an equilateral triangle, illustrated in Fig. 4. Each side represents a continuum upon which the state of that boundary
ranges from a minimum value to a maximum value. In reality
an infinite number of continuum scale steps would exist along
each of the boundaries; however, this would result in an
impossible number of states to explore. In order to provide a
pragmatic method for illustrating the model states, a simplified scale consisting of 11 steps is provided. Therefore along
each boundary a scale of 0 (minimum) to 10 (maximum) is
provided as steps representing the possible states of the
attribute represented on that boundary.
For improved clarity, the triangle has been rotated so that
the boundary of functional acceptance is horizontal and lies at
the bottom of the triangle. The labels at the boundaries

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

61

Fig. 4 e The boundary triangle.

display the attributes associated with each boundary,

although the boundaries still represent the smartphone
awareness boundaries as indicated in Fig. 2 and Table 1.

4.2.1.

Workload boundary

The workload boundary is provided as a line at which employees or an individual employee would perceive that the
amount of work effort required for smartphone operations
exceeds their benefit and reward of use. Employees will then
naturally migrate away from this boundary as they seek to
minimise the amount of effort required to perform their daily
tasks. The position along the boundary from which the
migration will take place is dependent on the level of workload currently being experienced in the organisation. Any
organisation which finds itself at a position outside this
boundary (outside the triangle nearest the boundary of unacceptable workload) will face certain labour unrest and
possible strikes. In the case of skilled workers, the organisation is likely to face massive staff turnover and heavy loss of
intellectual capital.

4.2.2.

Productivity boundary

The productivity boundary represents the level of efficiency at

which smartphone devices are integrated into the operations
of an organisation. This boundary marks the absolute minimum level of economic feasibility for smartphone usage in the
organisation independent of the productivity level. Management will naturally migrate away from the boundary in an
attempt to maximise their investment in smartphone usage.
As with the migration from the workload boundary, migration
is perpendicular to the productivity boundary. Any organisation operating outside the triangle near to this boundary is
unlikely to be able to sustain its operating expenses for an
extended period of time. This may be sustainable for a short
period in organisations with stronger financial standings;
however, eventually shareholders and business owners will
need to intervene by reducing or banning smartphone usage
or reducing its formal support for smartphone operations.

4.2.3.

Functional acceptance

The third and final boundary of the adapted Awareness

Boundary Model is functional acceptance. This boundary is
similarly scaled from a minimum value of 0 to a maximum
value of 10. Operations are optimised at each point along the
boundary, but at a different level of functional acceptance.
The points along this boundary effectively represent an optimised state of safe smartphone operating points under
normal conditions. As previously noted, outside this boundary
smartphone information security incidents have an elevated
likelihood of occurring.

4.3.

Explanation of model gradients

At the boundaries either financial feasibility is low or

perceived workload is maximised and therefore resisted by
managers and non-managers respectively. The resistance
from each boundary takes the form of a perpendicular
gradient, with the two gradients being the work pressure and
the work effort provided by managers and non-managers
respectively.

4.3.1.

Work pressure

The gradient of work pressure is a natural resistance applied

by managers from the boundary of productivity. Increases in
this gradient represent an increasing level of work pressure in
an attempt to maximise the distance from economic failure
(the productivity boundary). Rasmussen (1997) attributes this
gradient to the routine pressure applied by management,
which is responsible for maximising the financial performance of the organisation. As the gradient moves in a direction away from the boundary of productivity, the pressure for
increased productivity by management becomes stronger.
This pressure competes with the pressure being applied by
employees to minimise their work effort. This introduces security risks as the relentless pressure to perform work often
results in employees taking risks to respond to this pressure.

62

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

This might be in the form of an employee storing large volumes of corporate information on an unsecure smartphone
device in order to process information remotely or to work on
the move.

4.3.2.

Work effort

The gradient of work effort is the pressure exerted by nonmanagers in a direction away from the boundary of workload. The pressure from the boundary represents a diminishing level of work effort as the distance from the boundary
increases (see Fig. 3). Rasmussen (1997) explains that in efforts
and experiments to improve performance, employees will
naturally seek to minimise the level of effort required to
produce the same output. For example, employees may
reduce the steps in their smartphone operations by disabling
the security controls on their devices. This will continue unabated for an indefinite period. However, at some point this
behaviour will place the organisation at a level of increased
risk; for example, eventually the organisation will become
overly optimised to the point that security control measures
are being circumvented or ignored in favour of reduced
workload or increased productivity.

4.3.3.

Counter gradient

At the boundary of functional acceptance a counter gradient

must be applied to prevent the gradient pressures from the
social boundaries from continuing to the point where the
functional acceptance boundary is breached. Albrechtsen
(2007) reaffirms the need for this as he notes that employees
deem information security control steps to either reduce their
productivity or increase their workload. Counter gradients,
such as controls, procedures and policies, assist in preventing
breaches from occurring. The perpendicular line of intersection at any point along the functional acceptance boundary
(meeting the gradient lines from the other boundaries) is the
counter gradient applied from that boundary. Rasmussen
(1997) warns that a counter gradient from the functional
acceptance boundary can be burdensome, and should be
minimised to allow the organisation to operate as close to that
boundary as possible. Organisations are optimised at any
point closest to the boundary, but not across it where risk
begins to escalate.

4.4.

State space modelling

Having identified each of the components and the applied

state values for each component, a comprehensive state
space analysis can be conducted. A state space is effectively a
blanket of state combination points which covers the entire
working space of the model. Combinations of attribute states
form a point, while a combination of adjacent points forms
an area in the model state space. Three areas (illustrated in
Fig. 4) are significant for the model, each of which describe an
organisation on a different level of maturity in terms of their
information security awareness level. The first area is the
transitional state area, representing organisations that
operate closer to the boundary of productivity or workload
than functional acceptance. The second area, which is optimised, forms a triangle above the functional acceptance
boundary. The final area, breach of functional acceptance,

forms a similar triangle below the functional acceptance

boundary.

4.4.1.

State areas

A transitional state area is the portion of the state space found

above the lines of the perpendicular bisectors for the productivity and workload boundaries. This is illustrated in Fig. 4
as the shaded area labelled Transitional area, within which
position c is located. Organisations in this space are not in
danger of breaching the boundary of functional acceptance, as
they are still transitioning through states which place them at
a higher risk of breaching one of the social boundaries.
The optimised state area falls within the triangle formed
below the lines of the perpendicular bisectors for each of the
social boundaries. This is illustrated in Fig. 4 as the shaded
area labelled Optimised. The focus of organisations in this
area is on improving operations to an optimised level that is
on, or very close to, the boundary of functional acceptance.
The triangular shape indicates that the optimised state becomes smaller as it gets closer to each of the undesirable social boundaries and is largest at the centre. Organisations
operating in this area have begun to mature their adoption of
smartphone usage e position a in Fig. 4 falls within this area.
Outside the functional acceptance boundary, organisations
are operating in an effective state of dangerous over optimisation. However, the control measures in place are not
designed for such a level of operation. This is illustrated in
Fig. 4 by the shaded area labelled Breach of functional
acceptance. Organisations that find themselves in this area
must urgently institute steps to return to the safer optimised
area back within the boundary of functional acceptance. Position d in Fig. 4 falls within this area. Organisations operating in this area have adopted more operations for
smartphone usage than they can safely monitor and control.

4.5.

State positioning

State positioning entails the process of identifying the position

at which an organisation would be situated within the state
boundaries, or in some circumstances outside one of the
boundaries. Determining the position at which an organisation
is currently operating is dependent on two factors, the level of
productivity at that organisation and the level of workload. For
example, an organisation with a productivity level of 6 and a
workload level of 8 would be placed within the optimised state
area at the position marked a in Fig. 4. If employees begin to
seek ways in which to comply with requests from management
to increase work effort, they may begin to operate their
smartphone devices in insecure ways in order to minimise
work effort. This would result in the organisation moving along
the gradient to a position such as d, which falls outside of the
functional acceptance boundary. As an example, at position a
a mandatory device access password might be enforced; over
time however the password enforcement might be eased to
make operations easier for employees, resulting in the migration to position d. Although operations are optimised, as users
no longer need to enter a password, the risk at d is much
higher as devices are no longer access restricted.
At the position labelled a in Fig. 4, the gradient pressure
from the productivity boundary is much higher than the

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

gradient pressure from the workload boundary. This indicates

that the work pressure being applied by management is much
higher than the work effort (minimisation) pressure being
applied by the employees. With higher management pressure
required, the corresponding level of functional acceptance is
at a fairly low level of 3. At the position labelled b in Fig. 4, the
scenario is the opposite of the scenario detailed above.
Accordingly, management pressure is much lower, and
employee work effort is very low (stronger gradient). This
provides a higher level of functional acceptance at a position
of 8 on that boundary, although the actual distance to the
boundary is slightly further away than the position a, which
is nearer to the boundary.

4.5.1.

Formula

Using mathematical formulae it is possible to determine the

effect that variations in the attributes have on the position of
an employee or organisation within the model. Formulae
provide an easy way to explore the impact of such adjustments to the constructs found in the adapted boundary
model. In the following formula, three variables are applied to
represent the values along three of the boundaries:





A for the workload level

B for the productivity level
C for the functional acceptance level
X is the distance from the functional acceptance boundary

The first simple formula determines the functional

acceptance level (C) based on the levels of the workload (A)
and productivity (B) boundaries. The functional acceptance
level is the position along the lower boundary (functional
acceptance) based on the values from which the gradients
from the social boundaries exert pressure away from those
boundaries.
C BA5

(1)

The formula provides that functional acceptance is the

result of the difference between the productivity and the
workload boundaries plus five. For example, a productivity of
7 and a workload of 5 provides for a functional acceptance
level of 7. If a productivity level of 7 is determined with a
workload of 9, a resultant level of functional acceptance
would be found at 3.
The next formula provides a means to determine the distance at which an organisation is operating from the functional acceptance boundary, or whether it has breached the
boundary. The following formula solves for (X), which is the
distance from the functional acceptance boundary.
X 7:5  A B=2

(2)

Therefore, the distance from the boundary of functional

acceptance can be found by subtracting half of the sum of the
levels of productivity and workload from 7,5. To illustrate, a
productivity of 8 with a workload of 5 intersect at a distance of 1
above the boundary of functional acceptance (position b in
Fig. 4). Similarly, a productivity level of 9 and a workload of 8
would result in a distance of 1 (position d in Fig. 4). The negative
sign resulting from the second example here indicates that a
breach has occurred on the boundary of functional acceptance.

63

Therefore, an organisation operating at this combination of

productivity and workload is operating at elevated risk. Organisations should therefore seek to minimise the value for X in
formula (2), without resulting in a negative figure for X.
Over time, organisations will naturally continue to explore
methods for increasing productivity. While the need for
technical device and network solutions remains critical,
improving user awareness is equally important. The model
makes the relationship between many different organisational pressures much clearer. By addressing both individually
and collectively, a more cohesive and systematic security
aware working environment will emerge. From the economic
feasibility boundary, management should be supported with
proper policies and procedures. These should be drafted
against a minimum security threshold, ensuring efforts to
increase productivity remain safely at an agreed level. For
non-managers and third parties, service level and confidentiality agreements could bolster traditional awareness
training programmes, discouraging users from bypassing security steps in efforts to reduce their work effort. Finally, the
introduction of regulatory and security assessment feedback
will provide the organisation with a view of its progress in
maintaining operations within the functional acceptance
boundary. Importantly, this will monitor the relationship between the two competing gradient pressures, ensuring that
neither starts to overpower the other.

5.

Expert evaluation feedback

An expert review of the model was selected as the most

appropriate way in which to evaluate the quality of the model.
Experts possess a deeper level of understanding of a problem
phenomenon than individuals who are not experts in an area.
An evaluation process was undertaken in which various experts were carefully selected then approached and presented
with a detailed overview of the model and its adaptation for
smartphone information security. The expert group was then
asked to provide their own personal feedback on the inner
parts and outer elements, as defined in Webers (2012) evaluation framework, using an online survey response tool.
In total seven responses were received, of which four respondents were from academia (all holders of doctoral degrees) and the remaining three from industry. Invitations to
participate were sent to individuals deemed to be experts
based on their experience in the area of information security
through either industry or academia. Industry respondents
were selected where they were responsible for the information security at their organisation or at a client organisation.
The inner parts were assessed by all respondents who were
in agreement that the constructs, associations, events and
states were all clearly defined and contributed to the purpose
for which the model was provided. General consensus was
found in the quality of the inner parts of the model. Therefore
the inner parts of the model are deemed to be of sufficient
quality to satisfy the requirements of the model evaluation
framework for a high quality set of inner parts. The respondents were then asked to comment on the five outer elements in accordance to the evaluation framework. Again a
general consensus was reached by all respondents that the

64

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

outer elements were all of sufficient quality. There was no

resistance from any respondent to any of the outer elements
aside from some general feedback and recommendations.
Feedback using the online survey tool allowed for respondents to provide a free text response on each of the
criteria points. This allowed the respondent to provide a
subjective view on any part or element of the model. In
summary, the experts found the model to be adequately
parsimonious, positioned at the correct level, addressing an
important phenomenon, falsifiable and a novel contribution.
The feedback provided for the parsimony element generally
found that the model had just the right amount of constructs,
associations and events. There were no suggestions for additional constructs and no recommendations to alter or remove
any of the existing constructs. The level that the model is positioned at is found to be acceptable to the respondents. One
respondent indicated that a continuum of levels might be useful
to illustrate where the model is exactly targeted, however it
appeared to be at the correct level by targeting policy and procedure. All of the respondents found the model to be novel
enough and significantly adapted for the purposes of preparation of policy and procedures for smartphone information security awareness. One respondent indicated that although they
had viewed many research projects in this problem area, this
was a unique angle to address the issue. Respondents unanimously agreed that the model addresses a very important and
relevant problem area. One respondent suggested that this
model could be used to address loopholes in the current thinking
towards information security awareness. Falsifiability provided
some slightly different responses from the respondents, some
who felt that the model could be reasonably addressed in related
empirical testing; other respondents were unsure and indicated
that this might be an area in which future research could be
positioned.

5.1.

Application of the model

Applying the model to improve the information security

awareness level at an organisation requires a combination of
actions. As with other theory, such as with Game Theory and
the Prisoners Dilemma, the model is applied in its principles
and not as a set of instructions or configurations. The model is
to be applied in the design of policy, procedure and controls
such that the awareness level of information security forms
part of a continuous assessment and feedback mechanism
(Fig. 5). This is the only way in which efforts to improve
awareness will remain effective over time.
A sound awareness programme must not be designed to
implement only the technical control measures of smartphone
devices. It must include education and training for both management and non-management in the danger of over optimisation of operational activities. Measurable indicators should
be implemented to assess the level of pressure being applied by
management and non-management in their respective
gradient pressures. Productivity and workload guidelines
should be established to protect the organisation from
becoming over-optimised. Feedback needs to be incorporated
into the policy and procedures around the use of smartphone
devices at the organisation. Without these guiding principles
organisations will only implement traditional security

Fig. 5 e Model application to policy and procedure.

measures. These measures will eventually be eroded by efforts

to maximise operational efficiency by both managers and nonmanagers. The model provides insight into this dynamic so
that controls implemented can avoid such circumstances.

6.

Conclusion

The adapted model and the exploration of its parts provide new
insight into security awareness. Traditionally, the focus has always centred on training users about specific risk areas. By
contrast, this model establishes that awareness of information
security is only effective when applied within the dynamically
changing organisational context. Prevailing information security awareness levels have been observed as symptoms of a
greater set of organisational pressures; the cause of the symptom. For the effective management of user smartphone security
awareness levels, the contributing factors, which are identified
as attributes in the model, have been established in combination
with the events that alter the value of these attributes. By
addressing these as the root of the problem, information security will naturally be improved. Awareness subsequently shifts
from an understanding of complex security procedures, to an
understanding of organisational pressures.
Smartphone information security awareness is found to be
dependent on a combination of the following:
 smartphone productivity levels;
 the pressure applied by management on workers to
perform work using smartphones;
 smartphone workload levels;
 the pressure applied by employees to reduce the amount of
effort required to perform work using smartphone devices;
 the resulting pressure applied from policy and procedure in
relation to the organisations distance from the functional
acceptance boundary.
As smartphone technology continues to mature, users and
managers will continue to seek ways in which the operations

c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5

of the organisation can be improved using these devices. As

part of this process there is the risk that organisations will
naturally migrate across the boundary of functional acceptance. Without the adapted Awareness Boundary Model, the
source of any resulting incidents would likely be difficult to
identify. Using the model, organisations can perform a number of assessments to establish the contributing attributes and
what course of action is required to return the organisation to
a safer level of operation.

Appendix A. Supplementary data

Supplementary data related to this article can be found at
http://dx.doi.org/10.1016/j.cose.2014.01.005.

references

Albrechsten E, Hovden J. Improving information security

awareness and behaviour through dialogue, participation and
collective reflection. An intervention study. Comput Secur
2010;29(1):432e45.
Albrechtsen E. Qualitative study of users view on information
security. Comput Secur 2007;26(1):276e89.
Allam S, Flowerday S. An adaptation of the awareness boundary
model for smartphone computing. In: ISSA 2011.
Johannesburg: IEEE; 2011. pp. 1e8.
Botha R, Furnell S, Clarke N. From desktop to mobile: examining
the security experience. Comput Secur 2009;28(3e4):130e7.
Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy
compliance: an empirical study of rationality-based beliefs
and information security awareness. MIS Q 2010;34(3):523e48.
Caldwell T. Smart security. Netw Secur 2011;9(1):5e9.
Cisco. BYOD insights 2013. Retrieved from Cisco mConcierge:
http://www.ciscomcon.com/sw/swchannel/registration/
internet/registration.cfm?SWAPPID91&RegPageID350200&
SWTHEMEID12949; 2013, March.
Eminagaoglu M, Ucar E, Eren S. The positive outcomes of
information security awareness training in companies:e a
case study. Inf Secur Tech Rep 2009;14(1):223e9.
Kruger H, Kearney W. A prototype for assessing information
security awareness. Comput Secur 2006;25(1):289e96.
La Polla M, Martinelli F, Sgandurra D. A survey on security for
mobile devices. Commun Surv Tutorials IEEE
2013;15(1):446e71.
Mahesh S, Hooter A. Managing and securing business networks in
the smartphone era. Paper 5. In: Annual general business
conference. Huntsville: Sam Houston State University; 2013.
pp. 1e17.
Mansfield S. Q & A: Colin Tankard e raising security awareness.
Netw Secur 2013, June;2013(6):16e9.

65

Mylonas A, Kastania A, Gritzalis D. Delegate the smartphone

users? Security awareness in smartphone platforms. Comput
Secur 2013;34(1):47e66.
Ponemon Institute. 2013 state of the endpoint. Traverse City,
Michigan: Ponemon Institute LLC; 2012.
Portokalidis G, Homburg P, Anagnostakis K, Bos H. Paranoid
Android: versatile protection for smartphones. In: Proceedings
of the 26th annual computer security applications conference.
New York: ACM; 2010. pp. 347e56. Retrieved from: http://dl.
acm.org/citation.cfm?id1920313.
PricewaterhouseCoopers. Information security breaches survey.
Retrieved 30.07.12, from: http://www.pwc.co.uk; 2012, April
http://www.pwc.co.uk/audit-assurance/publications/ukinformation-security-breaches-survey-results-2012.jhtml;
2012, April.
Rasmussen J. Risk management in a dynamic society: a modelling
problem. Saftey Sci 1997;27(2):183e213.
Theoharidou M, Mylonas A, Gritzalis D. A risk assessment
method for smartphones. In: 27th IFIP international
information security and privacy conference. Crete, Greece:
Springer (AICT267); 2012. pp. 428e40.
Von Bertalanffy L. An outline of general system theory. Br J Phil
Sci 1950;1(2):134e65.
Wallis S. Validation of theory: exploring and reframing poppers
worlds. Integral Rev 2008;4(2):71e91.
Weber R. Evaluating and developing theories in the information
systems discipline. J Assoc Inf Syst 2012;13(1):1e30.
Sean Allam. Information Systems Department, University of Fort
Hare, East London, South Africa. Sean is currently finalising his
reading towards a DPhil (Information Systems) at the University of
Fort Hare. His primary research area is smartphone information
security awareness within the banking sector of South Africa.
Sean has a MCom In Information systems, and has previously
published in his research area. Sean also works full time in the
information technology industry, and has over 10 years of experience in software development.
Stephen V. Flowerday. Information Systems Department, University of Fort Hare, East London, South Africa. Stephen holds a
doctoral degree in Information Technology from the Nelson
Mandela Metropolitan University. He is presently a professor
focussing on Information Security at the University of Fort Hare.
He has supervised postgraduate students and published extensively within his research field. Stephen assisted conceptually and
with the editing. Stephen is Seans doctoral supervisor.
Ethan Flowerday. Kings College, University of London, United
Kingdom. Ethan is currently studying a joint Masters Degree in
Mathematics and Physics in the School of Natural and Mathematical Sciences at Kings College, University of London. His responsibility included conversion of the model to a geometric
representation, and deriving the accompanying formulae to the
model.