Walisongo Journal of Information Technology, Vol. 5 No.

2 (2023): 103‑128
DOI: [Link]
Copyright © 2023 WJIT: Walisongo Journal of Information Technology

Information Security Awareness Analysis on

Digital Bank Customer Using Analytic
Hierarchy Process: Case Study at XYZ
Application from Bank ABC
Kemas Khaidar Ali Indrakusuma1,∗ , Achmad Nizar Hidayanto1
1
Faculty of Computer Science, Universitas Indonesia, Depok, Indonesia
∗
Corresponding author: kemask69@[Link]

Abstract
Digital banking is an innovation from banks to deal with the high demand
of the retail customer. This study aims to analyse and measure the level
of information security awareness of the customers of XYZ as one of the
digital banks in Indonesia and provide recommendations for steps that need
to be taken to reduce fraud cases caused by customer negligence. Focus
areas that included in this research are the adaptation and extension of the
HAIS‑Q framework and becoming a new theoretical framework to measure
information security awareness for end‑user. The measurement is carried
out by distributing questionnaires with ive Likert scales to 385 respondents
and then processed using the Analytic Hierarchy Process (AHP) method which
involves eight experts measuring the weight of several identi ied focus areas
and then classi ied using the Kruger scale. The information security awareness
measurement has a result of 81,9770 which indicates that the information
security awareness of XYZ users has a good level. The results of data processing
show that there are two focus areas and ten focus sub‑area that is still not in the
good category. In addition, several recommendations are given to XYZ so that
the focus areas and sub‑areas that are not categorized as good can be improved
to make sure the information security awareness of XYZ users becomes better.

Keywords: Analytic hierarchy process, Digital bank, Information security

awareness

1 Introduction of the realization of these threats

(Whitman and Mattord, 2021). Threats
Threats to information security to information security can come from
will always exist regardless of any technological aspects as well as human
countermeasures, but preventive factors (Hassandoust et al., 2022). A
measures can minimize the possibility report from the IBM Cyber Security

ISSN: 2715‑0143 (online), 2714‑9048 (print)

[Link]
| 103
Indrakusuma and Hidayanto

Intelligence Index states that almost To reach the technology‑savvy retail

95% of security incidents are caused customer segment, Bank ABC launched
by human factors, which shows that a service in the retail banking segment
human factors are critical element to which is its digital innovation called XYZ
information security (Desolda et al., in 2016 (Bank XYZ Report, 2021). XYZ
2022). Many security and warning tools is a digital bank that helps customers
are provided as solutions to information manage life inance, namely the bond
security threats, but the end‑user side between life and inances. XYZ as a
is often poorly understood and explored pioneer of digital banking in Indonesia
(Das et al., 2022). Every company needs has a growing number of customers
to change its policies and regulations to every year (Kamar, n.d.). In addition
create guidance on information security to the number of customers which
awareness for end users to increase user increases every year, XYZ also has the
knowledge about information security highest number of active customers per
(Abulhaija et al., 2022), due to lack of month in 2021 for the digital bank
knowledge is one of the human factors category in Indonesia (Pahlevi, 2022)
that can make users vulnerable to which makes the majority of Indonesia’s
threats to information security (Desolda digital bank customers using XYZ. This
et al., 2022). makes research with the subject of XYZ
The user is the weakest point in users able to describe the majority of
fraud crimes (Sya itri et al., 2022) digital bank customers in Indonesia.
that can be easily in luenced and With more and more customers, the
persuaded to provide con idential data volume and number of transactions at
to perpetrators of fraud by using human XYZ are also increasing.
psychology (Ali and Mohd Zaharon, In Indonesia, fraud cases are one
2024). By examining users’ information of the most common cybercrime cases.
security awareness, it can be analyzed In the period 2020‑2021, there has
the tendency of XYZ users to avoid fraud been an increase in fraud cases reported
cases that harm customers and banks. to the police (Annur, 2020). The
The most common framework rise of fraud cases that have occurred
to measure information security in Indonesia has had an impact on
awareness is the Human Aspects of fraud cases in the digital bank sector.
Information Security Questionnaire Fraud cases in the digital bank sector
(HAIS‑Q) (Mahardika et al., 2020). have increased in percentage terms
But primarily HAIS‑Q is intended from the second quarter of 2020 to
to measure employees’ information the irst quarter of 2021 (AppsFlyer,
security awareness. There is also n.d.). Digital‑based transactions that
Cybersecurity Awareness and Training are getting easier at XYZ are increasing
(CAT) Framework that is developed for every year accompanied by an increase
remote working employees (Hijji and in cybercrime cases so digital fraud
Alam, 2022). Furthermore, there is no cases are also increasingly prevalent
current framework to measure end‑user (Chang et al., 2022). With that said, this
information security awareness. This research will explore the information
research intends to build a framework to security awareness of digital bank users
measure end‑user information security in Indonesia.
framework. Fraud cases cause inancial losses

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

104 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

for affected customers. Apart 2 Literature Review

from customers, cases of fraud can
cause several negative impacts on The following is an explanation of some
the bank, such as disclosure of of the theoretical foundations that are
con idential information that should used as a reference in this study.
be protected such as intellectual
property, competitive advantage, and
2.1 Digital Bank
customer data, the risk of declining bank
reputation, operational losses, direct A digital bank is a form of digitization of
inancial losses, even inancial extortion bank services that uses technology and
with ransom money (Ohrimenco et al., innovation to personalize customers’
2021). Because of these impacts, banks individual needs and can provide easy,
certainly do not want fraud cases to smooth, and transparent services to
occur to their customers and these consumers (Ghani et al., 2022). The
inancial and non‑ inancial loss are of existence of a digital bank can increase
particular concern for the bank to deal the accessibility of banking services
with (Abidin et al., 2019). to a larger population, especially in
developing countries like Indonesia,
so that it can signi icantly improve a
From the bank’s internal data, there
country’s economy (Ozili, 2018).
are around 50 reports per day regarding
indications of fraud that need to be
handled by the bank so the potential 2.2 Fraud
for fraud is still very high in XYZ (Bank
XYZ Report, 2021). Massive sharing Fraud is an intentional act by a person
of data via social networks regardless or several people among managers,
of data privatization by customers employees, or third parties, by deceiving
can also expose customers to privacy to gain unjusti ied or illegal bene its
threats [18]. The three most common (Utami et al., 2020). David Cressey
consequences of fraud cases in the developed the concept of the fraud
form of identity fraud are identity triangle which explains the factors
theft, account takeover, and application that cause someone to commit fraud,
submission fraud (Soomro et al., 2019). namely pressure, opportunities, and
rationalization (Tickner and Button,
2021). In its development, the theory
There are two research questions in developed with the addition of a new
this study, namely: factor, namely capability, which made
the fraud triangle theory evolve into the
fraud diamond (Ozcelik, 2020).
1. “What level of information
security awareness do XYZ users
have?” 2.3 Information Security
2. “What are the efforts that can be Awareness
made by Bank ABC to reduce the
number of fraud cases caused by Information security awareness can
customer negligence that occur in be de ined as an assessment of a
its digital bank services, namely person’s understanding, commitment,
XYZ?” and behavior by applicable information

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 105
Indrakusuma and Hidayanto

security policies, guidelines, and rules 2.5 Analytic Hierarchy Pro‑

(Kruger and Kearney, 2006). By having cess
good information security awareness,
one can act in a good way and implement The Analytic Hierarchy Process (AHP)
best practices to maintain security, is a multi‑criteria decision‑making
safety, and privacy (Salem et al., 2021). (MCDM) model (Asadabadi et al., 2019)
Thus, increasing information security which uses human subjects who are
awareness is one of the most effective experts in their ields to make a decision
ways of maintaining information and can be used for both qualitative
security (McIlwraith, 2022) and also and qualitative research (Mahardika
educating the consequences if a security et al., 2020). AHP was originally
breach occurs (Prakoso et al., 2020). developed to make effective decisions
There are three methods of assessing on complex problems so that the
information security awareness of problem is simpli ied and speeds up
users, namely questionnaires, passive the decision‑making process (Liu et al.,
measurements, and attack simulations 2020). With AHP, complex problems are
(Solomon et al., 2022). converted into a hierarchy based on the
complexity of the problem where the
highest level is the goal to be achieved
followed by the criteria levels (Orji et al.,
2020).
2.4 Human Aspects of Infor‑
mation Security Question‑
naire 3 Theoretical Frame‑
work
Human Aspects of Information Security
Questionnaire (HAIS‑Q) is a survey In determining the theoretical
preparation technique used to measure framework of user information security
information security awareness in the awareness in digital bank, a systematic
dimensions of knowledge, attitude, and literature review is carried out so that
behavior called the KAB model (Wiley the literature can be reviewed in a
et al., 2020). The KAB model itself systematic, explicit, and comprehensive
can be a benchmark for a company manner to identify, evaluate, and make
to solve various problems (Mahardika a synthesis of previous research (Okoli
et al., 2020) which has its weighting for and Schabram, 2010). The methodology
each dimension used by Kruger (Kruger developed by Okoli and Schabram
and Kearney, 2006), with Knowledge supports qualitative and quantitative
having a weight of 30%, Attitude having research in the ield of information
a weight of 20%, and Behavior having a systems (Ifenthaler and Yau, 2020).
weight of 50%. HAIS‑Q has seven focus Obtained ive related literature that
areas, namely password management, comes from IEEEXplore (3 pieces of
email use, internet use, social media use, literature) and LONTAR (Universitas
mobile devices, information handling, Indonesia’s database with two pieces of
and incident reporting (Mahardika et al., literature), namely:
2020). Each focus area has its focus sub‑ • L1: Measurement of Information
areas. Security Awareness Level: A Case

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

106 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Study of Mobile Banking (M‑ 4 Methods

Banking) Users (Firsty Arisya
et al., 2020), from IEEEXplore Firstly, a theoretical framework for this
• L2: Measurement of Information research was constructed by using a
Security Awareness Level: A Case systematic literature review. The result
Study of Online Transportation can be seen in Figure 1. After the
Users (Prakoso et al., 2020), from framework was constructed, it needs
IEEEXplore to be weighed for each focus area and
• L3: Evaluation of Information sub‑focus area. The weighing process
Security Awareness among utilized AHP with constructing the AHP
Palestinian Learners (Salem et al., questionnaire. The AHP questionnaire
2021), from IEEEXplore aims to weigh each focus area and
• L4: Analysis of Information sub‑focus area using 9 scales and
Security Awareness Level in Credit involving 8 experts. An expert is de ined
Card Customers Using Multiple as someone who has comprehensive
Criteria Decision Analysis knowledge in a particular ield that is
(MCDA): Case Study of Bank XYZ not shared by many people (Volkmar
(Fariz, 2020), from LONTAR et al., 2022). Thus, the experts assigned
• L5: Analysis of Factors In luencing to this research are practitioners who
Information Security Awareness develop XYZ directly for more than a
and Educational Recommendations year so they have in‑depth knowledge
for E‑Wallet Users in Indonesia of XYZ.
(Akbar, 2021), from LONTAR The next process is getting the value
for each focus area and sub‑focus area
using the Likert questionnaire. For
the Likert questionnaire, there are 72
From previous research, a 3C + 2S
questions, consisting of 36 positive
analysis was carried out to select focus
questions and 36 negative questions
areas and instruments to be used in this
that has been gone through validity and
study. The 3C+2S analysis describes all
readability testing. The questions can be
previous research into ive parts, namely
seen in Appendix 1. The use of positive
compare, contrast, criticize, synthesize,
questions and negative questions is
and summarize. This analysis aims
intended to avoid biased responses that
to ensure the relevance of previous
can reduce the validity of the research
research with the research that the
(Suá rez‑Alvarez et al., 2018). Answers
author will conduct. Nine focus areas
from respondents were measured by a
were identi ied and used in this study
Likert scale which has ive values. The
which can be seen in Figure 1.
scale can be seen in Table 2.

Table 2. Likert Scale

The identi ied focus areas are Indicator Strongly Dis- Neutral Agree Strongly
disagree agree Agree
validated and explored by Bank ABC’s Positive
1 2 3 4 5
internal IT team that deals directly with question
Negative
5 4 3 2 1
XYZ. The result of this process is the question

theoretical framework that can be seen

in Figure 1. The elaboration of the
framework can be seen in Table 1. This Likert questionnaire involved

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 107
Indrakusuma and Hidayanto

Figure 1. Theoretical Framework.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

108 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Table 1. Theoretical Framework Elaboration

Focus Area Focus Sub-Area Justification Re erences

Password Using the same password (PM1) If the password is known by other L1, L2, L3, L4,
people, then the risk of being
Management Sharing password (PM2) L5
misused and fraudulent actions will
(PM) Using the strong password (PM3) arise is very large
Email Use (EU) Clicking on links in emails from known Email can be used by fraudsters to L1, L2, L3, L4
retrieve sensitive data from users
sender (EU1)
who are not careful in their use
Clicking on links in emails from
unknown sender (EU2)
Opening attachment in emails from
unknown sender (EU3)
Internet Use (IU) Downloading iles (IU1) Fraud perpetrators can create fake L1, L2, L4
Accessing dubious website (IU2) web links that can trap
Entering information online (IU3) unscrupulous users to provide
sensitive data about their accounts
and misuse them
Social Media Use Social media privacy settings (SM1) Users who are not careful can L1, L2, L3, L4
Considering consequences (SM2) spread sensitive data on their social
(SM)
Posting about private information media and risk being misused by
(SM3) irresponsible people
Mobile Device Physically securing mobile devices Careless use of mobile devices and L1, L2, L3, L4
(MD1) network usage can make user’s
(MD)
Sending sensitive information via Wi-Fi account sensitive information
retrieved by other people who can
(MD2)
access it other than the user himself
Shoulder sur ing (MD3) and vulnerable to be misused
Anti-Fraud Receiving campaign (AF1) Bank’s explanation regarding the L4
prevention of fraud cases is very
Awareness Accepting campaign (AF2)
important to be known and
Campaign (AF) accepted in order to increase the
information security awareness of
its users
Card Storing physical card (CM1) On a physical card, there is some L4
sensitive information that needs to
Management Using physical card (CM2)
be kept con idential by the user and
(CM) storage and usage must be
observed
Concern for Trusting other’s motives (CI1) Users' awareness of the use of L5
sensitive account information by
Information Reluctance on giving information (CI2)
other parties is important for user's
Privacy (CI) Action to keep information safe (CI3) information security awareness
Self-ef icacy in Sensitive information acknowledgement Sensitive information on a user’s L5
account will be safe if the user has
Information (SI1)
good personal skills in protecting
Security (SI) Suspicion on fraudster (SI2) that information

385 respondents. The data obtained will be classi ied using the Kruger Scale
from the Likert questionnaire will be (Kruger and Kearney, 2006) which can
calculated for reliability by calculating be seen in Figure 2.
the Cronbach Alpha value with SPSS.
After the reliability test, the data will
be processed for each focus area to get
a percentage. The processing results Figure 2. Kruger Scale

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 109
Indrakusuma and Hidayanto

The results of this classi ication the percentage value of each research
determine the level of information focus sub‑area will be sought. The
security awareness of XYZ users method is to map the percentage of
in related focus areas. From this each question from the relevant sub‑
classi ication, it can be identi ied focus area with the weight of the information
areas that have de iciencies in XYZ security awareness dimensions. With
users’ information security awareness this mapping, the percentage value 𝑃 of
that recommendations can be made to the focus sub‑area can be calculated in
improve these focus areas by adding this way:
several theories that support the
literature. After the classi ication of all 30𝐾 + 20𝐴 + 50𝐵
𝑃= (1)
focus areas is completed, a thorough 100
classi ication is carried out for XYZ
where 𝐾 is the percentage value of the
users’ information security awareness
knowledge dimension question items, 𝐴
using the focus area weighting obtained
is the attitude dimension question item
with AHP. The inal step was to
percentage value, and 𝐵 is the behavior
conduct follow‑up interviews with three
dimension question item percentage
stakeholders at Bank ABC to discuss
value. Each percentage value can be
acceptance of the recommendations
classi ied with the Kruger scale.
from the research.
After analyzing the sub‑areas of
focus, then an analysis of the research
focus areas is carried out. From this
5 Result and Discussion analysis, the percentage value of the
research focus area will be generated
Table 3 shows the inal weighting as also the classi ication of information
results from pairwise comparison security awareness with the Kruger
questionnaireusing AHP. Furthermore, scale. The percentage value of the focus
the processing of the Likert questionnaire area can be calculated by accumulating
was carried out. Furthermore, the the percentage value of the focus area
processing of the Likert questionnaire related to the focus area multiplied
was carried out. The demography of the by the weight of the focus area. The
valid respondents with the total count percentage values of focus areas and
of 385 can be seen in Figure 3. sub‑areas of research focus can be seen
For the 385 respondents selected, in Table 4.
the Cronbach Alpha value is 0.831 After the percentage value of each
according to calculations with SPSS focus area is obtained, the percentage
which indicates the results of this value of information security awareness
study have very good reliability and of XYZ users can be calculated by
are acceptable. For each question accumulating the multiplication of the
item, the total point value (TPV) of all percentage value of the focus area with
selected respondents is calculated and the weight of the focus area. As a
then divided by the maximum possible result, XYZ users’ information security
TPV to get the percentage value of the awareness value is 81.9770. With the
question items. This percentage value Kruger scale, this value can be classi ied
will be used for data analysis. as good. Thus, XYZ users’ information
For the analysis of focus sub‑areas, security awareness is in a good category.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

110 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Table 3. AHP Processing Result

Focus Area Focus Sub-Area

Focus Area Focus Sub-Area
Weight Weight
Password 10,19 % Using the same password (PM1) 17,75 %
Management (PM) Sharing password (PM2) 46,06 %
Using the strong password (PM3) 36,19 %
Email Use (EU) 5,61 % Clicking on links in emails from known 19,44 %
sender (EU1)
Clicking on links in emails from 35,89 %
unknown sender (EU2)
Opening attachment in emails from 44,67 %
unknown sender (EU3)
Internet Use (IU) 8,38 % Downloading iles (IU1) 13,84 %
Accessing dubious website (IU2) 26,44 %
Entering information online (IU3) 59,72 %
Social Media Use 9,44 % Social media privacy settings (SM1) 36,36 %
(SM) Considering consequences (SM2) 26,90 %
Posting about private information 36,73 %
(SM3)
Mobile Device 8,19 % Physically securing mobile devices 39,73 %
(MD) (MD1)
Sending sensitive information via Wi-Fi 28,88 %
(MD2)
Shoulder sur ing (MD3) 31,39 %
Anti-Fraud 10,37 % Receiving campaign (AF1) 44,01 %
Awareness Accepting campaign (AF2) 55,99 %
Campaign (AF)
Card Management 10,10 % Storing physical card (CM1) 59,45 %
(CM) Using physical card (CM2) 40,55 %
Concern for 18,34 % Trusting other’s motives (CI1) 11,99 %
Information Reluctance on giving information (CI2) 26,51 %
Privacy (CI) Action to keep information safe (CI3) 61,50 %
Self-ef icacy in 19,38 % Sensitive information 58,53 %
acknowledgement (SI1)
Information
Suspicion on fraudster (SI2) 41,47 %
Security (SI)

Ten focus sub‑areas have a category category of information security that

of information security that is not is not good. To determine the priority
yet good, which come from six focus of recommendations, the focus area
areas, and two focus areas that have a and sub‑focus areas are ranked which

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 111
Indrakusuma and Hidayanto

Figure 3. Respondents Demography

have a not good category based on 5.1 Internet Use

the percentage value of information
security awareness. In the internet use focus area, the
focus sub‑area which has a moderate
category is downloading iles and
A worse percentage value indicates entering information online. This
a greater urgency for improvement in indicates that there is a vulnerability in
the focus areas and focus sub‑areas. The the information security of XYZ users in
sub‑areas of focus along with the focus using the internet in the aspects of the
areas that have been ranked can be seen two sub‑areas mentioned.
in Table 5. The number of iles on the internet
continues to increase every day and
there is no guarantee that all iles are
The following is a discussion of safe and virus‑free because virus can
focus areas and focus sub‑areas that be embedded in the ile or program
do not have good information security (Matveev et al., 2021). If the user
awareness. downloads a ile that contains a virus

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

112 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Table 4. Processing Results of Focus Areas and Sub‑Areas of Research Focus

Focus Area Percentage Focus Sub-Area Percentage

Password Using the same password (PM1) 65,2883
Management
81,8282 Sharing password (PM2) 84,4468
(PM)
Using the strong password (PM3) 86,6078
Email Use (EU) Clicking on links in emails from known 79,4026
sender (EU1)
Clicking on links in emails from unknown
78,6707 79,4130
sender (EU2)
Opening attachment in emails from 77,7558
unknown sender (EU3)
Internet Use (IU) Downloading iles (IU1) 66,4104
77,2575 Accessing dubious website (IU2) 81,6571
Entering information online (IU3) 77,8234
Social Media Use Social media privacy settings (SM1) 84,8364
(SM) 80,1255 Considering consequences (SM2) 79,0805
Posting about private information (SM3) 76,2494
Mobile Device Physically securing mobile devices (MD1) 85,5429
(MD) Sending sensitive information via Wi-Fi
81,5671 68,5299
(MD2)
Shoulder sur ing (MD3) 88,5299
Anti-Fraud Receiving campaign (AF1) 84,1403
Awareness 83,7069 Accepting campaign (AF2)
83,3662
Campaign (AF)
Card Storing physical card (CM1) 86,4987
Management 83,7181
Using physical card (CM2) 79,6416
(CM)
Concern for Trusting other’s motives (CI1) 81,0701
Information 84,2425 Reluctance on giving information (CI2) 86,0935
Privacy (CI) Action to keep information safe (CI3) 84,0675
Self-ef icacy in Sensitive information acknowledgement 83,1481
Information 82,1485 (SI1)
Security (SI) Suspicion on fraudster (SI2) 80,7377

or other malware (harmful content), the information on fake websites created

user’s device can be infected and there is by fraudsters, which allows misuse of
a possible threat of loss or theft of user users’ XYZ accounts by irresponsible
data, including user XYZ account data parties (Kelley et al., 2023).
(Wang, 2022).
Users can also spread con idential
XYZ account information unknowingly
if they are not careful in illing in this

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 113
Indrakusuma and Hidayanto

Table 5. Priority Areas and Focus Sub‑Areas that Are Not in Good Category

Focus Area Percentage Focus Sub-Area Percentage

Downloading iles (IU1) 66,4104
Internet Use (IU) 77,2575
Entering information online (IU3) 77,8234
Opening attachment in emails from unknown
77,7558
sender (EU3)
Clicking on links in emails from known sender
Email Use (EU) 78,6707 79,4026
(EU1)
Clicking on links in emails from unknown
79,4130
sender (EU2)
Social Media Use Posting about private information (SM3) 76,2494
80,1255
(SM) Considering consequences (SM2) 79,0805

Mobile Device (MD) 81,5671 Sending sensitive information via Wi-Fi (MD2) 68,5299
Password 81,8282 Using the same password (PM1) 65,2883
Management (PM)
Card Management Using physical card (CM2)
83,7181 79,6416
(CM)

5.2 Email Use an internet page that has been prepared

by the fraudster or it can also attach a ile
In the email use focus area, the focus that can endanger the device security
sub‑areas that have a moderate category of the user who downloads it (Já ñ ez‑
are clicking on links in emails from Martino et al., 2023).
known senders, clicking on links in There are also phishing threats in
emails from unknown senders, and the form of text or known as smishing
opening attachments in emails from which is more personal so they can make
unknown senders. This indicates that the victim less alert (Mishra and Soni,
the information security awareness 2020). If the user clicks on the link or
of XYZ users in this focus area has downloads the attachment, information
weaknesses in all its sub‑areas. This about the user’s XYZ account becomes
focus area is concerned with how XYZ compromised (Baki and Verma, 2023).
users use email or other communication
media, especially in terms of clicking on
links and downloading attachments in 5.3 Social Media Use
emails or other communication media. In the focus area of social media
The biggest threat in this focus area use, the focus sub‑area which has
is the practice of email phishing, which a moderate category is considering
are activity carried out by fraudsters by the consequences and posting about
sending emails claiming false identities private information. This indicates
to obtain sensitive information from that XYZ users tend to think less about
their victims (Jalali et al., 2020). In email the consequences of sharing personal
phishing, the email can contain a link to information on social media. Social

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

114 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

media allows people to connect and is sending sensitive information via Wi‑
exchange contents (Olanrewaju et al., Fi. This indicates that not all XYZ users
2020). are aware of the dangers of accessing
However, social media also has an and sending sensitive information,
impact on privacy because everyone including access to XYZ applications via
can share any information, including public Wi‑Fi networks.
personal information. If the information Public Wi‑Fi networks can be
has been shared, then no one guarantees exploited by criminals by eavesdropping
the security of the information that has (knowing all activity that users do
been shared because the information without the user knowing while using
or the user‑generated data will become Wi‑Fi), DNS hijacking, cryptojacking
a digital footprint that can be seen (the act of hijacking a computer to mine
by other people (Beigi and Liu, 2020). cryptocurrencies against the user’s
This is a threat to the security of the will), and deployment of malicious
user’s XYZ account because personal hotspots (Wi‑Fi set up by fraudsters
information that should not be shared to retrieve information from connected
may be taken by fraudsters to help them devices) (Gao et al., 2021). IP spoo ing
access the user’s XYZ account. (pretending to be someone else) and
ARP poisoning (corrupt the ARP or
Address Resolution Protocol to a local
5.4 Password Management
network) also can happen when using
In the password management focus public Wi‑Fi (Sinha et al., 2019).
area, the focus sub‑area that has a
moderate category is using the same
password. This indicates that XYZ users
still tend to use the same password 5.6 Card Management
for XYZ accounts and various other
applications on their devices. This can In the card management focus area, the
be a vulnerability because a password focus sub‑area which has a moderate
guesser can ind out the password of category is using physical cards. The
a user’s account (Murray and Malone, use of XYZ physical cards in transactions
2022). Even people who are known or the use of ATMs is a separate
to the user have the possibility of threat to the security of the user’s XYZ
knowing the password of an application account. Sensitive information printed
belonging to user XYZ. If the application on the user’s physical card such as card
password is the same as the user’s number, card expiration date, and CVV
XYZ password, or user’s application has the possibility of being known by
passwords are stored plainly in user other people during transactions. If this
records like notes, the security of information is known, then people who
the user’s account will be threatened know this can use the user’s XYZ account
(Yıldırım and Mackie, 2019). to make transactions, and eventually,
fraud occurs (Ezennaya‑Gomez et al.,
5.5 Mobile Device 2022). In addition, there is a possibility
of skimming if the user’s card still uses
In the mobile device focus area, the focus magnetic strip technology (Guers et al.,
sub‑area which has a moderate category 2022).

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 115
Indrakusuma and Hidayanto

6 Conclusion a good level. Furthermore, there are

ten sub‑areas out of six focus areas
This study aims to measure the level of that have poor or moderate information
information security awareness of XYZ security awareness classi ication and
users so that appropriate actions can be two focus areas whose information
determined to increase the information security awareness classi ication is not
security awareness of XYZ users good or moderate. From each sub‑area
according to the areas of focus that need and research focus area that is not good
to be improved. This study has nine enough, recommendations for efforts
focus areas taken from several previous that can be made by the bank are given
studies and validated by Bank ABC’s to increase the information security
internal IT team that deals directly with awareness of XYZ users as a whole and
XYZ. The nine focus areas are password have been validated and accepted by the
management, email use, internet use, bank.
social media use, mobile devices, social In the following, several suggestions
engineering, anti‑fraud awareness can be made by Bank ABC to increase the
campaign, PIN management, card information security awareness of XYZ
management, concern for information users:
privacy, user competency, and self‑ 1. Creating education about
ef icacy in information security. Each information security awareness
focus area has its sub‑areas with a total on the XYZ social media channel
of 24 research sub‑areas. Knowledge, which does not yet have
Attitude, and Behavior dimensions are information security awareness
also used to measure each sub‑area. educational content like TikTok.
After the focus areas were 2. Prioritize increasing awareness of
identi ied, focus area weighting was information security in the focus
carried out involving 8 experts who areas of internet use and email
were practitioners who had directly use that have poor or moderate
developed XYZ for more than a year to information security awareness
have in‑depth knowledge about XYZ. classi ications.
To determine the level of information 3. Provide education about virus
security awareness, 385 respondents threats and also check the validity
were active XYZ users and illed out a of websites that users visit for
questionnaire with 72 questions with internet use focus areas.
ive Likert scales. The data collected has 4. Provide education about the
a Cronbach Alpha value of 0.831 which threat of email phishing and
indicates high reliability. The data is smishing and check the validity of
then classi ied using the Kruger scale to email senders and links contained
determine whether the measured object in emails for email use focus areas.
has a good, moderate, or poor level of 5. Encouraging XYZ users to be
information security awareness. wise in using social media and
From the results of data collection, monitoring trends that endanger
the value of information security the security of user information
awareness of XYZ users is 81.9770 for social media use focus areas.
which indicates that the level of 6. Provide education about the
information security awareness is at dangers of sending sensitive

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

116 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

information with public Wi‑ have occurred. This is useful

Fi, education about device for providing appropriate steps
permissions, and detect the in resolving future fraud cases.
network used by users when This can also help document the
accessing XYZ for mobile device modus operandi of fraud cases
focus areas. that have never existed before
7. Provide education about using because the modus operandi of
XYZ passwords that are different fraud will always evolve along
from other applications and with technological developments.
storing and changing XYZ 2. Creating a framework to
passwords regularly for password continuously measure user
management focus areas. information security awareness.
8. Replacing the user’s physical This can assist in monitoring the
card with chip technology that information security awareness of
has better security effectivity, XYZ users and can also be aimed at
removing sensitive information helping maintain the information
from the physical card, and security awareness of its users
educating on how to use the at a good level. The focus areas
card properly and safely for card in this research can be a good
management focus areas. reference for the dimensions of
9. Conduct research that aims to the framework.
determine the level of education 3. Exploring the critical success
acceptance from XYZ towards its factors of campaign acceptance
users. given related to information
For future works, these items are security awareness. This can help
interesting to be studied for: companies to create educational
1. Create a framework for solving content about information
external fraud problems that has security awareness that can be
a list of lessons learned from better received by their users.
resolving various fraud cases that

Reference
Abidin, M. A. Z., Nawawi, A. and Salin, A. S. A. P. (2019), ‘Customer data security and
theft: a Malaysian organization’s experience’, Information & Computer Security
27(1), 81–100. doi: 10.1108/ICS‑04‑2018‑0043.
URL: [Link]
0043/full/html

Abulhaija, S., Hattab, S. and Qusef, A. (2022), Cyber Security Awareness, Knowledge
and Behavior in the Banking Sector in Jordan, in ‘2022 13th International
Conference on Information and Communication Systems (ICICS)’, IEEE, pp. 48–53.
doi: 10.1109/ICICS55353.2022.9811212.
URL: [Link]

Akbar, M. (2021), Analisis faktor yang mempengaruhi kesadaran keamanan

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 117
Indrakusuma and Hidayanto

informasi dan rekomendasi edukasi pada pengguna e‑wallet di Indonesia, Master

thesis, Universitas Indonesia.

Ali, M. M. and Mohd Zaharon, N. F. (2024), ‘Phishing—A Cyber Fraud: The

Types, Implications and Governance’, International Journal of Educational Reform
33(1), 101–121. doi: 10.1177/10567879221082966.
URL: [Link]

Annur, C. M. (2020), ‘Daftar Kejahatan Siber yang Paling Banyak Dilaporkan ke Polisi’.
URL: [Link]
siber‑yang‑paling‑banyak‑dilaporkan‑ke‑polisi

AppsFlyer (n.d.), ‘Mobile attribution & marketing analytics for Finance app
marketers – the complete guide’.
URL: [Link] [Link]/resources/guides/ inance‑apps‑mobile‑
attribution‑analytics/

Asadabadi, M. R., Chang, E. and Saberi, M. (2019), ‘Are MCDM methods useful? A
critical review of Analytic Hierarchy Process (AHP) and Analytic Network Process
(ANP)’, Cogent Engineering 6(1). doi: 10.1080/23311916.2019.1623153.
URL: [Link]

Baki, S. and Verma, R. M. (2023), ‘Sixteen Years of Phishing User Studies: What
Have We Learned?’, IEEE Transactions on Dependable and Secure Computing
20(2), 1200–1212. doi: 10.1109/TDSC.2022.3151103.
URL: [Link]

Bank XYZ Report (2021), Technical report.

Beigi, G. and Liu, H. (2020), ‘A Survey on Privacy in Social Media’, ACM/IMS

Transactions on Data Science 1(1), 1–38. doi: 10.1145/3343038.
URL: [Link]

Chang, V., Doan, L. M. T., Di Stefano, A., Sun, Z. and Fortino, G. (2022), ‘Digital payment
fraud detection methods in digital ages and Industry 4.0’, Computers and Electrical
Engineering 100, 107734. doi: 10.1016/[Link].2022.107734.
URL: [Link]

Das, S., Nippert‑Eng, C. and Camp, L. J. (2022), ‘Evaluating user susceptibility to

phishing attacks’, Information & Computer Security 30(1), 1–18. doi: 10.1108/ICS‑
12‑2020‑0204.
URL: [Link]
0204/full/html

Desolda, G., Ferro, L. S., Marrella, A., Catarci, T. and Costabile, M. F. (2022), ‘Human
Factors in Phishing Attacks: A Systematic Literature Review’, ACM Computing
Surveys 54(8), 1–35. doi: 10.1145/3469886.
URL: [Link]

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

118 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Ezennaya‑Gomez, S., Blumenthal, E., Eckardt, M., Krebs, J., Kuo, C., Porbeck,
J., Toplu, E., Kiltz, S. and Dittmann, J. (2022), Revisiting Online Privacy
and Security Mechanisms Applied in the In‑App Payment Realm from the
Consumers’ Perspective, in ‘Proceedings of the 17th International Conference on
Availability, Reliability and Security’, ACM, New York, NY, USA, pp. 1–12. doi:
10.1145/3538969.3543786.
URL: [Link]

Fariz, A. (2020), Analisis tingkat kesadaran keamanan informasi pada nasabah kartu
kredit menggunakan multiple criteria decision analysis (MCDA): studi kasus Bank
XYZ, Master thesis, Universitas Indonesia.

Firsty Arisya, K., Ruldeviyani, Y., Prakoso, R. and Lailatul Fadhilah, A.

(2020), Measurement of Information Security Awareness Level: A Case
Study of Mobile Banking (M‑Banking) Users, in ‘2020 Fifth International
Conference on Informatics and Computing (ICIC)’, IEEE, pp. 1–5. doi:
10.1109/ICIC50835.2020.9288516.
URL: [Link]

Gao, D., Lin, H., Li, Z., Qian, F., Chen, Q. A., Qian, Z., Liu, W., Gong, L. and Liu, Y. (2021),
A nationwide census on wi i security threats, in ‘Proceedings of the 27th Annual
International Conference on Mobile Computing and Networking’, ACM, New York,
NY, USA, pp. 242–255. doi: 10.1145/3447993.3448620.
URL: [Link]

Ghani, E. K., Ali, M. M., Musa, M. N. R. and Omonov, A. A. (2022), ‘The Effect of Perceived
Usefulness, Reliability, and COVID‑19 Pandemic on Digital Banking Effectiveness:
Analysis Using Technology Acceptance Model’, Sustainability 14(18), 11248. doi:
10.3390/su141811248.
URL: [Link]

Guers, K., Chowdhury, M. M. and Rifat, N. (2022), Card Skimming: A Cybercrime

by Hackers, in ‘2022 IEEE International Conference on Electro Information
Technology (eIT)’, IEEE, pp. 575–579. doi: 10.1109/eIT53891.2022.9813890.
URL: [Link]

Hassandoust, F., Subasinghage, M. and Johnston, A. C. (2022), ‘A neo‑

institutional perspective on the establishment of information security
knowledge sharing practices’, Information & Management 59(1), 103574.
doi: 10.1016/[Link].2021.103574.
URL: [Link]

Hijji, M. and Alam, G. (2022), ‘Cybersecurity Awareness and Training (CAT)

Framework for Remote Working Employees’, Sensors 22(22), 8663. doi:
10.3390/s22228663.
URL: [Link]

Ifenthaler, D. and Yau, J. Y.‑K. (2020), ‘Utilising learning analytics to support study
success in higher education: a systematic review’, Educational Technology Research

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 119
Indrakusuma and Hidayanto

and Development 68(4), 1961–1990. doi: 10.1007/s11423‑020‑09788‑z.

URL: [Link]

Jalali, M. S., Bruckes, M., Westmattelmann, D. and Schewe, G. (2020), ‘Why Employees
(Still) Click on Phishing Links: An Investigation in Hospitals’, Journal of Medical
Internet Research 22(1), e16775. doi: 10.2196/16775.
URL: [Link]

Já ñ ez‑Martino, F., Alaiz‑Rodrı́guez, R., Gonzá lez‑Castro, V., Fidalgo, E. and Alegre, E.
(2023), ‘A review of spam email detection: analysis of spammer strategies and
the dataset shift problem’, Arti icial Intelligence Review 56(2), 1145–1173. doi:
10.1007/s10462‑022‑10195‑4.
URL: [Link]

Kamar, O. (n.d.), ‘Jenius BTPN: Jumlah Nasabah, Simpanan, dan Pengaduan’.

URL: [Link]

Kelley, N. J., Hurley‑Wallace, A. L., Warner, K. L. and Hanoch, Y. (2023), ‘Analytical

reasoning reduces internet fraud susceptibility’, Computers in Human Behavior
142, 107648. doi: 10.1016/[Link].2022.107648.
URL: [Link]

Kruger, H. and Kearney, W. (2006), ‘A prototype for assessing information

security awareness’, Computers & Security 25(4), 289–296. doi:
10.1016/[Link].2006.02.008.
URL: [Link]

Liu, Y., Eckert, C. M. and Earl, C. (2020), ‘A review of fuzzy AHP methods for
decision‑making with subjective judgements’, Expert Systems with Applications
161, 113738. doi: 10.1016/[Link].2020.113738.
URL: [Link]

Mahardika, M. S., Hidayanto, A. N., Paramartha, P. A., Ompusunggu, L. D., Mahdalina, R.

and Affan, F. (2020), ‘Measurement of Employee Awareness Levels for Information
Security at the Center of Analysis and Information Services Judicial Commission
Republic of Indonesia’, Advances in Science, Technology and Engineering Systems
Journal 5(3), 501–509. doi: 10.25046/aj050362.
URL: [Link]

Matveev, V., Nykytchenko, O. E., Stefanova, N., Khrypko, S., Ishchuk, A., Ishchuk, O. and
Bondar, T. (2021), ‘Cybercrime in the Economic Space: Psychological Motivation
and Semantic‑Terminological Speci ics’, IJCSNS International Journal of Computer
Science and Network Security 21(11), 135–142.
URL: [Link]

McIlwraith, A. (2022), Information Security and Employee Behaviour: How to Reduce

Risk Through Employee Education, Training and Awareness, 2nd edn, Routledge,
New York, NY, USA.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

120 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Mishra, S. and Soni, D. (2020), ‘Smishing Detector: A security model to detect

smishing through SMS content analysis and URL behavior analysis’, Future
Generation Computer Systems 108, 803–815. doi: 10.1016/[Link].2020.03.021.
URL: [Link]

Murray, H. and Malone, D. (2022), Choosing Wordlists for Password Guessing:

An Adaptive Multi‑armed Bandit Approach, in E. Aı̈meur, M. Laurent, R. Yaich,
B. Dupont and J. Garcia‑Alfaro, eds, ‘Foundations and Practice of Security. FPS
2021. Lecture Notes in Computer Science, vol 13291’, Springer, Cham, pp. 393–
413. doi: 10.1007/978‑3‑031‑08147‑7_27.
URL: [Link]

Ohrimenco, S., Borta, G. and Cernei, V. (2021), Estimation of the Key Segments of the
Cyber Crime Economics, in ‘2021 IEEE 8th International Conference on Problems
of Infocommunications, Science and Technology (PIC S&T)’, IEEE, pp. 103–107. doi:
10.1109/PICST54195.2021.9772165.
URL: [Link]

Okoli, C. and Schabram, K. (2010), ‘A Guide to Conducting a Systematic Literature

Review of Information Systems Research’, SSRN Electronic Journal . doi:
10.2139/ssrn.1954824.
URL: [Link]

Olanrewaju, A.‑S. T., Hossain, M. A., Whiteside, N. and Mercieca, P. (2020), ‘Social
media and entrepreneurship research: A literature review’, International Journal
of Information Management 50, 90–110. doi: 10.1016/[Link].2019.05.011.
URL: [Link]

Orji, I. J., Kusi‑Sarpong, S., Huang, S. and Vazquez‑Brust, D. (2020), ‘Evaluating

the factors that in luence blockchain adoption in the freight logistics industry’,
Transportation Research Part E: Logistics and Transportation Review 141, 102025.
doi: 10.1016/[Link].2020.102025.
URL: [Link]

Ozcelik, H. (2020), An Analysis of Fraudulent Financial Reporting Using the Fraud

Diamond Theory Perspective: An Empirical Study on the Manufacturing Sector
Companies Listed on the Borsa Istanbul, in S. Grima, E. Boztepe and P. Baldacchino,
eds, ‘Contemporary Issues in Audit Management and Forensic Accounting
(Contemporary Studies in Economic and Financial Analysis, Vol. 102)’, Emerald
Publishing Limited, pp. 131–153. doi: 10.1108/S1569‑375920200000102012.
URL: [Link]
375920200000102012/full/html

Ozili, P. K. (2018), ‘Impact of digital inance on inancial inclusion and stability’, Borsa
Istanbul Review 18(4), 329–340. doi: 10.1016/[Link].2017.12.003.
URL: [Link]

Pahlevi, R. (2022), ‘Jumlah Pengguna Aktif Bulanan Bank Digital Jenius Tertinggi di
Indonesia’.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 121
Indrakusuma and Hidayanto

URL: [Link]
pengguna‑aktif‑bulanan‑bank‑digital‑jenius‑tertinggi‑di‑indonesia#: :text=Pada
2021%2C jumlah pengguna aktif,mencapai 2%2C34 juta pengguna

Prakoso, R., Ruldeviyani, Y., Arisya, K. F. and Fadhilah, A. L. (2020), Measurement

of Information Security Awareness Level: A Case Study of Online Transportation
Users, in ‘2020 3rd International Seminar on Research of Information
Technology and Intelligent Systems (ISRITI)’, IEEE, pp. 170–175. doi:
10.1109/ISRITI51436.2020.9315375.
URL: [Link]

Salem, Y., Moreb, M. and Rabayah, K. S. (2021), Evaluation of Information

Security Awareness among Palestinian Learners, in ‘2021 International
Conference on Information Technology (ICIT)’, IEEE, pp. 21–26. doi:
10.1109/ICIT52682.2021.9491639.
URL: [Link]

Sinha, P., kumar Rai, A. and Bhushan, B. (2019), Information Security threats and
attacks with conceivable counteraction, in ‘2019 2nd International Conference on
Intelligent Computing, Instrumentation and Control Technologies (ICICICT)’, IEEE,
pp. 1208–1213. doi: 10.1109/ICICICT46008.2019.8993384.
URL: [Link]

Solomon, A., Michaelshvili, M., Bitton, R., Shapira, B., Rokach, L., Puzis, R. and Shabtai,
A. (2022), ‘Contextual security awareness: A context‑based approach for assessing
the security awareness of users’, Knowledge‑Based Systems 246, 108709. doi:
10.1016/[Link].2022.108709.
URL: [Link]

Soomro, Z. A., Ahmed, J., Shah, M. H. and Khoumbati, K. (2019), ‘Investigating

identity fraud management practices in e‑tail sector: a systematic review’, Journal
of Enterprise Information Management 32(2), 301–324. doi: 10.1108/JEIM‑06‑
2018‑0110.
URL: [Link]
0110/full/html

Suá rez‑Alvarez, J., Pedrosa, I., Lozano, L. M., Garcı́a‑Cueto, E., Cuesta, M. and Muñ iz, J.
(2018), ‘Using reversed items in Likert scales: A questionable practice.’, Psicothema
30(2), 149–158. doi: 10.7334/psicothema2018.33.
URL: [Link]

Sya itri, W., Shukur, Z., Mokhtar, U. A., Sulaiman, R. and Ibrahim, M. A. (2022), ‘Social
Engineering Attacks Prevention: A Systematic Literature Review’, IEEE Access
10, 39325–39343. doi: 10.1109/ACCESS.2022.3162594.
URL: [Link]

Tickner, P. and Button, M. (2021), ‘Deconstructing the origins of Cressey’s Fraud

Triangle’, Journal of Financial Crime 28(3), 722–731. doi: 10.1108/JFC‑10‑2020‑
0204.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

122 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

URL: [Link]
0204/full/html

Utami, W., Nugroho, L., Mappanyuki, R. and Yelvionita, V. (2020), ‘Early Warning
Fraud Determinants in Banking Industries’, Asian Economic and Financial Review
10(6), 604–627. doi: 10.18488/[Link].2020.106.604.627.
URL: [Link]

Volkmar, G., Fischer, P. M. and Reinecke, S. (2022), ‘Arti icial Intelligence and
Machine Learning: Exploring drivers, barriers, and future developments in
marketing management’, Journal of Business Research 149, 599–614. doi:
10.1016/[Link].2022.04.007.
URL: [Link]

Wang, P. (2022), ‘Analysis of Computer Virus Defense Strategy Based on Network

Security’, Academic Journal of Computing & Information Science 5(14), 33–39. doi:
10.25236/AJCIS.2022.051405.
URL: [Link]

Whitman, M. E. and Mattord, H. J. (2021), Principles of Information Security, 7th edn,

Cengage Learning.

Wiley, A., McCormac, A. and Calic, D. (2020), ‘More than the individual: Examining
the relationship between culture and Information Security Awareness’, Computers
& Security 88, 101640. doi: 10.1016/[Link].2019.101640.
URL: [Link]

Yıldırım, M. and Mackie, I. (2019), ‘Encouraging users to improve password security

and memorability’, International Journal of Information Security 18(6), 741–759.
doi: 10.1007/s10207‑019‑00429‑y.
URL: [Link]

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 123
Indrakusuma and Hidayanto

Appendix 1. The Questionnaire

Code Focus Area Sub-Focus Area Question

PM1 - Password Management - Using the same Using other personal account password for XYZ is
K (-) Knowledge password acceptable.

PM1 - Password Management - Using other personal account password for XYZ is safe.
A (-) Attitude
PM1 - Password Management - My XYZ account have different password from my
B (+) Behavior other personal accounts.
PM2 - Password Management - Sharing password Sharing XYZ account password with people I know is
K (-) Knowledge acceptable.
PM2 - Password Management - Sharing XYZ account password with people I know is a
A (+) Attitude bad idea although that people ask for it.
PM2 - Password Management - I share XYZ account password to people I know.
B (-) Behavior
PM3 - Password Management - Using the strong A combination of letter, number, and symbol is needed
K (+) Knowledge password for password security.
PM3 - Password Management - Password that consists of just letters is safe.
A (-) Attitude
PM3 - Password Management - I use combination of letter, number, and symbol for my
B (+) Behavior XYZ account password.
EU1 - K Email Use - Knowledge Clicking on links in Clicking any link in email from people I know is
(-) emails from known acceptable.
EU1 - A Email Use - Attitude sender Clicking any link in email from people I know is safe.
(-)
EU1 - B Email Use - Behavior I don’t always click any link in email just because it’s
(+) sent from people I know.
EU2 - K Email Use - Knowledge Clicking on links in Clicking any link in email from unknown sender is not
(+) emails from acceptable.
EU2 - A Email Use - Attitude unknown sender Nothing bad will happen if I click any link in email
(-) from unknown sender.
EU2 - B Email Use - Behavior I click the link in email from unknown sender if it’s
(-) interesting.
EU3 - K Email Use - Knowledge Opening Opening attachment in email from unknown sender is
(-) attachment in acceptable.
EU3 - A Email Use - Attitude emails from Opening attachment in email from unknown sender is
(+) unknown sender risky.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

124 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Code Focus Area Sub-Focus Area Question

EU3 - B Email Use - Behavior I don’t open attachment if it’s from unknown sender.
(+)
IU1 - K Internet Use - Knowledge Downloading iles Downloading any ile from internet to my device is
(-) acceptable.
IU1 - A Internet Use - Attitude Downloading any ile from internet to my device is
(+) risky.
IU1 - B Internet Use - Behavior I download any ile from internet to inish my task.
(-)
IU2 - K Internet Use - Knowledge Accessing dubious Not every website in internet is safe to be accessed.
(+) website
IU2 - A Internet Use - Attitude I’m not sure all website is safe to be accessed.
(+)
IU2 - B Internet Use - Behavior I open any website, even I use VPN (Virtual Private
(-) Network) to access it if it can’t be opened normally.
IU3 - K Internet Use - Knowledge Entering Entering any information in website to inish a task is
(-) information online acceptable.
IU3 - A Internet Use - Attitude If it can inish a task, I don’t care what information that
(-) I enter in website.
IU3 - B Internet Use - Behavior I assess website security before entering information
(+) inside it.
SM1 - K Social Media Use - Social media I supposed to review my social media privacy setting
(+) Knowledge privacy settings regularly.
SM1 - A Social Media Use - Attitude Reviewing my social media privacy setting regularly is
(+) a good idea to be done.
SM1 - B Social Media Use - Behavior I don’t review my social media privacy setting
(-) regularly.
SM2 - K Social Media Use - Considering Things I share in social media will not be misused by
(-) Knowledge consequences other people.
SM2 - A Social Media Use - Attitude Sharing something in social media that I will not share
(-) in public is acceptable.
SM2 - B Social Media Use - Behavior I don’t share something in social media before
(+) considering negative consequences that can happen.
SM3 - K Social Media Use - Posting about I can share any information about myself in social
(-) Knowledge private information media.
SM3 - A Social Media Use - Attitude Sharing information about myself in social media is
(+) risky.
SM3 - B Social Media Use - Behavior I share anything that I want to share in social media.
(-)

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 125
Indrakusuma and Hidayanto

Code Focus Area Sub-Focus Area Question

MD1 - Mobile Device - Knowledge Physically securing When in public and carrying a handphone, I always
K (+) mobile devices make sure I keep an eye on my handphone.
MD1 - Mobile Device - Attitude Leaving my handphone or laptop in public even for
A (-) just a minute without supervision is safe.
MD1 - Mobile Device - Behavior When in public, I often don’t keep an eye on my
B (-) handphone or laptop.
MD2 - Mobile Device - Knowledge Sending sensitive Sending any information with public Wi-Fi is
K (-) information via Wi- acceptable.
MD2 - Mobile Device - Attitude Fi Sending any information with public Wi-Fi is risky.
A (+)
MD2 - Mobile Device - Behavior I send any information with public Wi-Fi
B (-)
MD3 - Mobile Device - Knowledge Shoulder sur ing When opening sensitive information or document, I
K (+) must make sure nobody can see my handphone or
laptop screen.
MD3 - Mobile Device - Attitude It is risky if there’s someone who can see my
A (+) handphone or laptop screen when opening sensitive
information or document.
MD3 - Mobile Device - Behavior I make sure nobody can see my handphone or laptop
B (+) screen when opening sensitive information or
document.
AF1 - K Anti-Fraud Awareness Receiving XYZ XYZ send noti ications about how to secure personal
(+) Campaign - Knowledge campaign data.
AF1 - A Anti-Fraud Awareness XYZ noti ications about how to secure personal data is
(+) Campaign - Attitude important.
AF1 - B Anti-Fraud Awareness I switch off noti ication from XYZ.
(-) Campaign - Behavior
AF2 - K Anti-Fraud Awareness Accepting XYZ XYZ has provided a way to secure personal data.
(+) Campaign - Knowledge campaign
AF2 - A Anti-Fraud Awareness Knowing how to secure personal data is important
(+) Campaign - Attitude
AF2 - B Anti-Fraud Awareness I don’t read and delete XYZ noti ication about how to
(-) Campaign - Behavior secure personal data immediately.
CM1 - Card Management - Storing physical Letting anyone keeping my XYZ card is acceptable.
K (-) Knowledge card
CM1 - Card Management - Attitude Letting anyone keeping my XYZ card is risky.
A (+)
CM1 - B Card Management - I keep my XYZ card by myself.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

126 |
Information Security Awareness Analysis on Digital Bank Customer Using Analytic Hierarchy
Process: Case Study at XYZ Application from Bank ABC

Code Focus Area Sub-Focus Area Question

(+) Behavior
CM2 - Card Management - Using physical card Sensitive information that exists in the back side of the
K (+) Knowledge card must be kept secret.
CM2 - Card Management - Attitude There is no risk if anyone see the back side of my card.
A (-)
CM2 - B Card Management - I let cashier see the back side of my card when doing
(-) Behavior transaction.
CI1 - K Concern for Information Trust in other’s Clarity of the purpose of the request of personal data is
(+) Privacy - Knowledge motives acceptable.
CI1 - A Concern for Information I believe everyone has good intention by requesting
(-) Privacy - Attitude personal data.
CI1 - B Concern for Information I ask the purpose of request of personal data from
(+) Privacy - Behavior other people.
CI2 - K Concern for Information Reluctance on I know which personal data that can be shared and
(+) Privacy - Knowledge giving information cannot be shared to others.
CI2 - A Concern for Information Sharing personal data that can’t be known by other
(-) Privacy - Attitude people is safe.
CI2 - B Concern for Information I refuse sharing personal data that cannot be shared to
(+) Privacy - Behavior others.
CI3 - K Concern for Information Action to keep Sensitive information must be stored safely.
(+) Privacy - Knowledge information safe
CI3 - A Concern for Information Storing sensitive information in a place that can be
(-) Privacy - Attitude accessed anyone is not risky.
CI3 - B Concern for Information I don’t pay attention to the security of storage to store
(-) Privacy - Behavior sensitive information.
SI1 - K Self-ef icacy in Information Sensitive All information about personal data can be known by
(-) Security - Knowledge information other people, including XYZ employee.
SI1 - A Self-ef icacy in Information acknowledgement Sharing all personal data to others is risky.
(+) Security - Attitude
SI1 - B Self-ef icacy in Information I ilter what personal data that I will share to others.
(+) Security - Behavior
SI2 - K Self-ef icacy in Information Suspicion on XYZ has of icial channels to communicate with
(+) Security - Knowledge fraudster customers.
SI2 - A Self-ef icacy in Information Trusting XYZ of icial channels as the only option to
(-) Security - Attitude communicate with bank is a bad idea.
SI2 - B Self-ef icacy in Information I don’t con irm the authenticity of the party claiming to
(-) Security - Behavior be from XYZ who is trying to contact me.

WJIT: Walisongo Journal of Information Technology – Vol. 5 No. 2 (2023)

| 127
128 |