| 1.7 | The institute has an ICT/information system security policy that is competent, known and followed by all employees. | 21.4 | 29.6 | 13.3 | 29.6 | 6.1 |
| 1.8 | The institute always updates its ICT infrastructure (hardware and software) based on changes in technology. | 2.4 | 20.7 | 20.3 | 24.6 | 32.0 |
| 1.9 | The institute has a special sponsorship programme for information system security certifications and training. | 46.4 | 20.6 | 12.3 | 10.7 | 10 |
| 2) Inadequate Information Security Policy | ||||||
| SN | Proposition | SDA | DA | NS | A | SA |
| 2.1 | The institute provides regular awareness and training programmes about ICT and information system security policies. | 39.0 | 31.4 | 24.6 | 5.0 | 0.0 |
| 2.2 | Our institute has an ICT/information system security policy that was created by involving all the stakeholders and is known to all employees of the institute. | 15.3 | 17.7 | 50.4 | 16.6 | 0.0 |
| 2.3 | The institute, in collaboration with the IT department, follows all the appropriate guidelines in implementing ICT/Information system security policies for proper utilisation of ICT facilities. | 23.3 | 21.4 | 34.4 | 11.7 | 9.2 |
| 3) Work Environment | ||||||
| SN | Proposition | SDA | DA | NS | A | SA |
| 3.1 | Management inspires information system security training and awareness programmes for all employees. | 28.6 | 29.6 | 13.3 | 25.5 | 3.0 |
| 3.2 | The institute’s information system security culture is well established, as every employee is aware of all the concerning habits in the use of ICT infrastructures that can lead to information system security threats and vulnerabilities. | 23.3 | 26.3 | 21.4 | 26.7 | 2.3 |
| 3.3 | There are restrictions on the use of optimisation software to simplify work for individual best performance and deadlines in completing daily office objectives. | 24.3 | 20.4 | 39.0 | 10.6 | 5.7 |
| 3.4 | The institute provides guidelines on the appropriate use of the Internet through policies such as accessing dubious websites, accessing the institute website on a public network, and opening emails from unknown senders. | 20.3 | 21.7 | 31.8 | 16.8 | 9.4 |
| 3.5 | IAA categorises information access as public, protected, or restricted (secret) and assigns credentials accordingly. | 20.4 | 25.3 | 15.4 | 18.6 | 20.1 |
| 4) Demographic Variables | ||||||
| 4.1 | Information system security is more of a technical issue; thus it is a male field than a female one. | 22.6 | 26.4 | 20.9 | 20.7 | 9.4 |
| 4.2 | Being at IAA for many years has helped me to develop skills and knowledge in information system security policies, rules, and guidelines to protect both myself and the institute. The same cannot be said for new employees. | 26.7 | 28.3 | 30.1 | 8.2 | 6.7 |