Information security competence test with regards to password management

It is widely acknowledged that when it comes to IT security the human factor is usually the weakest link. In an effort to strengthen this link, most CIO´s are embracing the deployment of security awareness programmes. It is accepted that these programmes can create an information security-aware culture where security risks can be reduced. Even though work has been done in ensuring that these programmes include mechanisms for changing behaviour and reinforcing good security practices, there is a lack of work on measuring the effectiveness of such programmes. Competence based questions have long been used in HR to select employees with the skills that are necessary to perform effectively in a job. Competence based tests focus mainly on the behaviours and traits critical for success on the job and how they have been demonstrated in the past. This current paper presents the description of an approach that uses competency based behavioural questions to measure security competence levels at a university with regards to password management. A sample of 140 students participated in the study. The findings revealed that even though students were aware of the procedures, many failed to implement them. For example, 48.6% of students would share their passwords even though they know it was wrong. It was also found that there is a positive relationship between the year of study and the creation of strong passwords (n=140; r=+0.268; p=0.007).