Information Security Awareness Raising Strategy Using Fuzzy AHP Method with HAIS-Q and ISO/IEC 27001:2013: A Case Study of XYZ Financial Institution

XYZ financial institution is a government institution that receives and processes transaction reports from banks and remittances, so its data classification is very confidential. However, during the Work from Home (WFH) policy in the Covid-19 pandemic, XYZ financial institution has received many spam/phishing attacks. Hence, this incident shows that some employees need an awareness of information security. The research offers a different Information Security Awareness (ISA) questionnaire using the Human Aspects of the Information Security Questionnaire (HAIS-Q) and ISO/IEC 27001:2013 as focus areas. The research uses the theory of Knowledge, Attitude, and Behavior (KAB) to determine the dimensions that need improvement and priority ranking using Fuzzy Analytical Hierarchy Process (FAHP). Furthermore, the research conducts a Focus Group Discussion (FGD) to explore the root causes of employee behavior. The FGD results show that there are still employees who do not know about information security, such as password combinations and length, so limited knowledge affects employees’ attitudes and behaviors. The research results from 34 respondents show that the employees’ information security awareness level is in the moderate category (78.8%). They still need to increase their awareness of information security, especially in managing passwords, using email and the Internet, and reporting incidents. Recommendations have been prepared to improve the dimensions and areas that have yet to be categorized as good. In the future, the ISA questionnaire is expected to be used in other organizations.