The impact of information security awareness training on information security behaviour
Date
2009-11-06T09:05:18Z
Authors
Stephanou, Anthony
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Information Security awareness initiatives are seen as critical to any
information security programme. But, how do we determine the
effectiveness of these awareness initiatives? We could get our employees
to write a test after the awareness to determine how well they
understand the policies, but this does not show how they affect the
employee’s on the job behaviour. Does awareness training have a direct
influence on the security behaviour of individuals, and what is the direct
benefit of awareness training? This research report aims to answer the
question: To what extent does information security awareness training
influence information security behaviour?
Technologies meant to provide security ultimately depend on the
effective implementation and operation of these technologies by people.
Thus awareness of policies is needed by all individuals in an organisation
to ensure that policies are well understood and not misinterpreted. Some
researchers have maintained that educating users is futile mainly
because it is believed that it is difficult to teach users complex security
issues and, secondly, because if security is seen as secondary by the user
they will not pay enough attention to it.
This research found that, firstly, there is a shortage of in-depth
information security awareness research and that behavioural concepts
are not properly taken into account for security awareness programmes.
There is a shortage of theoretical models explaining how awareness
training affects behaviour. Secondly, this research tested a proposed
model empirically using system-generated data as indicators of behaviour
in a pretest-posttest experimental design. It was found that security
awareness training was effective in terms of end-users retaining security
knowledge. However, there was no evidence to suggest that security
awareness by itself is sufficient to ensure compliant behaviour by endusers.
Security awareness training is a necessary, integral component
that could influence compliant behaviour, but is not adequate to do so
fully. Practitioners must insist that their security awareness programmes
are measured in terms of effectiveness and focus on behavioural aspects
to complement traditional security awareness initiatives.