How to measure IT security awareness of employees: a comparison to e-mail surveillance at the workplace

Measuring and improving IT security awareness of employees is of crucial importance considering the damages that occur through attacks on the IT security of companies each year. The paper presents a German research project, which intends to improve the IT security awareness of employees while at the same time considering the rights of individuals concerned. The authors address one specific labour law issue dealing with the question of how to ensure that there will not be an adverse impact on the employees’ rights while clandestinely testing their IT security awareness. A parallel will be drawn to the case of e-mail surveillance at the workplace under EU and German law and its findings transferred to the project scenario. On this basis, suggestions for lawful test methods measuring the employees’ IT security awareness will be made. Keywords: IT-security awareness; Critical infrastructures; Penetration testing; Surveillance at the workplace; Surveillance of business e-mail accounts; Privacy by design; Fundamental rights of employees