LISAA: A Framework for Large Language Model Information Security Awareness Assessment

The popularity of large language models (LLMs) continues to grow, and LLM-based assistants have become ubiquitous. Information security awareness (ISA) is an important yet underexplored area of LLM safety. ISA encompasses LLMs’ security knowledge, which has been explored in the past, as well as their attitudes and behaviors, which are crucial to LLMs’ ability to understand implicit security context and reject unsafe requests that may cause an LLM to unintentionally fail the user. We introduce LISAA, a comprehensive framework to assess LLM ISA. The proposed framework applies an automated measurement method to a comprehensive set of 100 realistic scenarios covering all security topics in an ISA taxonomy. These scenarios create tension between implicit security implications and user satisfaction. Applying our LISAA framework to leading LLMs highlights a widespread vulnerability affecting current deployments: many popular models exhibit only medium to low ISA levels, exposing their users to cybersecurity threats, and models that rank highly in cybersecurity knowledge benchmarks sometimes achieve relatively low ISA ranking. In addition, we found that smaller variants of the same model family are significantly riskier. Furthermore, while newer model versions demonstrated notable improvements, meaningful gaps in their ISA persist, suggesting that there is room for improvement. We release an online tool that implements our framework and enables the evaluation of new models.

💡 Research Summary

The paper introduces LISAA (Large Language Model Information Security Awareness Assessment), a comprehensive framework designed to evaluate the information‑security awareness (ISA) of large language models (LLMs) across the three psychological dimensions traditionally used in human security‑awareness research: knowledge, attitude, and behavior. While prior work has largely focused on measuring LLMs’ factual cybersecurity knowledge through explicit, fact‑based queries, the authors argue that real‑world safety requires models to recognize implicit security contexts, warn users, and refuse unsafe requests even when compliance would increase user satisfaction.

Taxonomy foundation
To ensure coverage of a wide range of security topics, the authors adopt the well‑established ISA taxonomy of Bitton et al. (2018), which defines four focus areas (Applications, Browsing & Communication, Communication Channels, Device), nine sub‑focus areas, and thirty concrete criteria (e.g., “Download apps from trusted sources”). This taxonomy, originally built for mobile users, provides a granular, psychologically grounded structure that can be transferred to LLM assessment.

Scenario construction
A pool of over 1,000 candidate prompts was generated by mining real user questions from Reddit, Stack Overflow, Android Police, and similar platforms. A panel of three human judges and three pilot LLMs iteratively refined these prompts until each scenario produced a mixed distribution of scores across models, guaranteeing discriminative power. The final set comprises 100 scenarios, each mapped to a specific taxonomy criterion and deliberately engineered so that the secure response conflicts with the user’s apparent goal (e.g., “How can I stop password‑update notifications?”). This design forces the model to either comply with a risky request or recognize the hidden security implication.

Scoring scheme
Responses are evaluated on a three‑point ordinal scale:
1 = Bad (unsafe advice without warning),
2 = Mediocre (unsafe advice with a warning),
3 = Ideal (refusal of the unsafe request, clear warning, and possibly a safe alternative). Detailed rubrics and examples are provided in the appendix.

Automated judging
To scale the assessment, the authors develop an automated scoring pipeline in which LLMs themselves act as judges. First, a manually annotated dataset of 30 scenario responses (one per taxonomy criterion) is created by the three human judges. All evaluated LLMs are then considered as potential judges; subsets of three or more models with distinct architectures are examined for inter‑rater reliability using Krippendorff’s α, appropriate for ordinal data. The subset with the highest agreement (while avoiding closely related variants) is selected as the judging ensemble. Validation shows a Pearson correlation above 0.84 between the automated judges’ scores and the human majority vote, confirming the method’s reliability.

Empirical evaluation
LISAA is applied to 63 popular LLMs, both open‑source and proprietary. Key findings include:

• Overall ISA levels – The majority of models achieve only medium to low ISA scores, indicating a systemic vulnerability where models may inadvertently guide users toward insecure actions.
• Size effect – Within the same model family, smaller variants consistently obtain lower ISA scores (average drop of ~0.6 points), suggesting that parameter count correlates with safety performance.
• Version improvements – Newer releases show modest ISA gains (0.3–0.5 points on average), yet many critical scenarios still receive non‑ideal responses, demonstrating that upgrades alone do not guarantee safety.
• Knowledge‑behavior mismatch – Models that rank highly on pure knowledge benchmarks (e.g., CTIBench, SECURE) sometimes score poorly on ISA, confirming that factual knowledge does not translate into safe behavior.

Implications
The study highlights the necessity of evaluating LLMs beyond static knowledge tests. Developers should incorporate explicit safety‑aware objectives, such as recognizing implicit threats, issuing warnings, and refusing harmful instructions. LISAA’s automated pipeline provides a repeatable, scalable tool for continuous monitoring of new model releases, facilitating rapid identification of regressions or improvements in security awareness.

Limitations and future work
The current taxonomy is mobile‑user centric; extending the framework to enterprise, cloud, or IoT domains will require additional criteria. The reliance on LLM judges introduces a potential bias if the judges themselves lack sufficient security awareness; future work may explore hybrid human‑LLM ensembles or larger judge pools. Moreover, expanding the scenario set to include adversarial “jailbreak” prompts and diversifying the cultural context of queries could further stress‑test models’ ISA.

Resources
The authors release an interactive web tool, the full set of 100 scenarios, annotation data, and code (see Appendix B), enabling the research community to reproduce the experiments and apply LISAA to emerging models.

In sum, LISAA establishes a rigorous, taxonomy‑driven methodology for measuring LLMs’ security awareness across knowledge, attitude, and behavior, revealing systematic gaps in current deployments and offering a practical pathway toward safer conversational AI.