The impact of information security awareness training on information security behaviour
Information Security awareness initiatives are seen as critical to any information security programme. But, how do we determine the effectiveness of these awareness initiatives? We could get our employees to write a test after the awareness to determine how well they understand the policies, but this does not show how they affect the employee’s on the job behaviour. Does awareness training have a direct influence on the security behaviour of individuals, and what is the direct benefit of awareness training? This research report aims to answer the question: To what extent does information security awareness training influence information security behaviour? Technologies meant to provide security ultimately depend on the effective implementation and operation of these technologies by people. Thus awareness of policies is needed by all individuals in an organisation to ensure that policies are well understood and not misinterpreted. Some researchers have maintained that educating users is futile mainly because it is believed that it is difficult to teach users complex security issues and, secondly, because if security is seen as secondary by the user they will not pay enough attention to it. This research found that, firstly, there is a shortage of in-depth information security awareness research and that behavioural concepts are not properly taken into account for security awareness programmes. There is a shortage of theoretical models explaining how awareness training affects behaviour. Secondly, this research tested a proposed model empirically using system-generated data as indicators of behaviour in a pretest-posttest experimental design. It was found that security awareness training was effective in terms of end-users retaining security knowledge. However, there was no evidence to suggest that security awareness by itself is sufficient to ensure compliant behaviour by endusers. Security awareness training is a necessary, integral component that could influence compliant behaviour, but is not adequate to do so fully. Practitioners must insist that their security awareness programmes are measured in terms of effectiveness and focus on behavioural aspects to complement traditional security awareness initiatives.