(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 14, No. 4, 2023 594 | Page www.ijacsa.thesai.org Employee Information Security Awareness in the Power Generation Sector of PT ABC Ridwan Fadlika 1 , Yova Ruldeviyani 2 , Zenfrison Tuah Butarbutar 3 , Relaci Aprilia Istiqomah 4 , Achmad Arzal Fariz 5 Faculty of Computer Science, Universitas Indonesia, Depok, Indonesia 1,2,3,4,5 Abstract—Presidential Regulation No. 82 of 2022 demonstrates the Indonesian government's dedication to protecting Vital Information Infrastructure, which has become increasingly susceptible to cyber attacks. Intrusion detections at PT ABC reached 79,575 in 2021, and malware, botnets, targeted attacks, malicious websites/domains, and ransomware attacks may cause considerable financial losses. The implication of these incidents is that employees' awareness of information security is critical, in addition to security technologies like firewalls and monitoring tools. To enhance employees' knowledge of information security, this study aims to evaluate the information security awareness among PT ABC personnel using the HAIS-Q survey instrument alongside ISO/IEC 27001:2013 criteria. The study will provide valuable recommendations to improve the organization's security protocols. This research intends to investigate the correlation between employees' knowledge, attitude, and behavior towards information security. Data was collected through a questionnaire and analyzed using the Pearson Correlation, Cronbach's Alpha, descriptive statistics, linear regression, and Kruskal-Wallis test method. The study findings suggest that the overall information security awareness level among employees is "Good". However, certain areas like internet usage, information handling, asset management, incident reporting, and the use of mobile devices need improvement. To address these areas, the study recommends promoting information security awareness according to employee categories. Keywords—Security awareness; data; information; ISO/IEC 27001:2013 I. INTRODUCTION The Indonesian government through Presidential Regulation No. 82 of 2022 [1] pays attention to and is committed to protecting Vital Information Infrastructure due to the abuse of information and electronic transactions. Threats to the security of vital objects such as power plants have been experienced by the Gundremmingen nuclear power plant in Germany in 2016 where the "W32.Ramnit" and "Conficker" viruses were attacked through an employee's USB device 1 . The 2021 BSSN Report on Cybersecurity Monitoring reports that one of the background causes of data leaks is phishing [2]. The phishing method is where the hacker infiltrates malicious codes through an e-mail or website page 1 S. Christoph and A. Eric, 'German nuclear plant infected with computer viruses, operator says', Reuters, 2016, https://www.reuters.com/article/us- nuclearpower-cyber-germany-idUSKCN0XN2OS, (accessed 10 October 2022) during internet browsing [3][4]. Monitoring data from PT ABC states that the number of intrusion detections during 2021 was 79,575. Cyber attacks such as malware, botnets, targeted attacks, malicious websites/domains, and ransomware attacking the company can result in significant financial losses [3][4]. The lesson learned from these incidents is the need for information security awareness among employees at PT ABC, as security technologies such as firewalls or monitoring tools play an important role in security, but the human factor must also be considered [4]. The measurement of awareness of information security has been the subject of numerous prior studies. Vina Effendy et al. (2022) conducted a study utilizing the HAIS-Q modeling to evaluate the level of information security awareness at XYZ polytechnic. The findings of the study revealed that the level of awareness was at a medium level at the research site, indicating the need for further monitoring to enhance the level of awareness. However, the authors did not provide recommendations based on employee criteria [5]. Another study by Aulia Zulfia et al. (2019) employed the HAIS-Q method to measure information security awareness at PT PQS. Nevertheless, the authors did not provide recommendations based on employee criteria [6]. In a similar vein, Rahardi Prakoso et al. (2020) measured awareness of information security among online transportation users using the HAIS-Q method. The authors identified the areas that require improvement, but did not provide recommendations based on sub-area categories among respondent demographics [7]. The Human Aspects of Information Security-Questionnaire (HAIS-Q) is a widely recognized tool for evaluating global information security awareness. Numerous studies, including [5][6][7][8][21], have utilized the HAIS-Q in various contexts, spanning commercial enterprises, academic institutions, and government agencies. Despite its extensive adoption, previous research has yet to integrate the HAIS-Q with the ISO/IEC 27001:2013 standard, and no research has specifically investigated the extent of awareness of information security among employees of PT ABC. The motivation described above has instigated a research initiative aimed at assessing the awareness of information security of the PT ABC personnel. The HAIS-Q survey instrument, in conjunction with the ISO/IEC 27001:2013 criteria will be utilized to achieve this goal. The outcomes of this investigation will furnish recommendations for enhancing the organization's security protocols. It is expected that these