Rabelani Dagada Foundation
University of the Witwatersrand
ABSTRACT: The contribution of this paper is significant in the following ways: The research is based on a case study using system-generated data to measure actual user behaviour before and after security awareness training interventions, in order to measure the effectiveness of the training. Therefore, the study does not rely upon users’ perceptions of their own behaviour. Previous research has used interviews, surveys and ‘participatory observation’ to draw conclusions about end-user behaviours in this regard. This research measures a subset of behaviours required by a typical Acceptable Usage Policy (AUP), whereas much previous and recent research with respect to effective awareness training has focused on ‘phishing’ related threats in a laboratory environment. This research not only demonstrates the impact of security awareness training on user behaviour but also contributes towards a set of instruments for behavioural measurement, useful for future research. This paper aims to consolidate the security awareness research landscape and move towards a common language and understanding of what ‘security behaviour’ means. Finally, it calls for stronger checks for internal validity (such as field and laboratory experiments).
Keywords: Impact of security awareness, information security behaviour, Acceptable Usage Policy
Information Technology systems are dependant on people. Information security is concerned with behaviour more than any other factor; i.e. getting people to behave in a certain way. It is people’s intentional and unintentional actions that cause adverse consequences that security aims to prevent. Schneier says in Secrets & Lies (2000) that one of the reasons for the book was to correct the notion put forward in his previous book that cryptography was the answer to security. The rhetorical question he asks is: why would an attacker spend time and money trying to break an encryption algorithm, for example, when it would be easier to bribe an employee who has been given explicit access to the information required for their day-to-day activities? Despite the hype from vendors about the need for security products, many critical security activities have not been and cannot be automated. This means that organisations are dependant on people to achieve a secure environment. Since humans are seen as the ‘weakest link’ in the information security chain (Kabay, 2002; Katsikas, 2000; Schneier, 2000; Stanton, Stam, Guzman & Caldera, 2003; Van Niekerk & Von Solms, 2004), there is a clear requirement to ensure that users are trained correctly in terms of information security policies. The goal is to ensure that users follow the necessary policies and that they are not misused or misinterpreted, thereby ensuring the effectiveness of policies (Siponen, 2000) and the efficiency of security processes. Incorrect security behaviour must be addressed as it is the major reason for inefficient security measures.
Users need to understand why security must be taken seriously, the benefits to them personally (i.e. what they gain from this) and how this will assist them in executing their job (Peltier, 2000). Further, users should be given the opportunity to review and accept the necessary policies. Security awareness efforts are seen as the “first line of defence” (OECD, 2002). On the other hand, Evers (2006) argues that awareness initiatives, while necessary, are not sufficient to obtain the desired results; other authors simply believe that educating users is futile.
2. THEORETICAL FRAMEWORK AND BRIEF LITERATURE REVIEW
Since one of the aims of this paper is to show that the hypotheses in this paper are reasonable, the theoretical foundation upon which this research was based will be introduced initially. Thereafter, the hypotheses will be established in light of the objectives of this literature survey.
The theoretical foundation of this research is based on the work by (Nonaka & Takeuchi, 1995). They contend that the main reason that Japanese companies excel is because they are good at ‘organisational knowledge-creation’ (i.e. the company acquires new knowledge, disseminates it, and has it reflected in new products, services and systems.) Individuals within an organisation create knowledge. The organisation is dependent on individuals for this since it cannot create knowledge. However, since knowledge workers do and will play a pivotal role in society (Drucker, 1993; Stephanou & Dagada, 2008), what organisations can do is magnify the knowledge created by individuals and make it meaningful across the organisation, thus creating a knowledge-creation process.
Nonaka and Takeuchi (1995) argue that there are two types of knowledge and both are needed to help explain organisational learning (i.e. tacit knowledge and explicit knowledge). They explain that the way an organisation learns is by oscillating between the two types of knowledge. Tacit knowledge is not tangible and is subjective since it is that which is possessed by employees of an organisation. This includes individual beliefs, experiences and understanding of the organisation and what the organisation requires from them. Tacit knowledge also includes the notion of mental models: it is how individuals view reality now and how they envision it to be in the future. The tacit knowledge of individuals is the basis for organisational knowledge-creation (Nonaka & Takeuchi, 1995).
Explicit knowledge, on the other hand, is codified, formal and easily expressed. Examples of explicit knowledge include organisational policies, pamphlets, directives and systems. Westerners emphasise explicit knowledge, while the Japanese emphasise tacit knowledge. Nonaka and Takeuchi (1995), however, are of the opinion that these types of knowledge are not separate but complementary. The vital assumption of knowledge-creation is that human knowledge is produced through the social interaction of explicit and tacit knowledge occurring between individuals. Therefore, organisational knowledge-creation spirals out from individuals across departmental, divisional and organisational boundaries (Nonaka & Takeuchi, 1995; Stephanou. 2008).
Thus the key to knowledge-creation is the conversion of tacit knowledge to explicit knowledge in an organisation. This happens when the interaction between tacit and explicit knowledge is elevated dynamically from a lower organisational unit in the organisation (for example, a small business unit) to a higher level in the organisation (for example, divisional level or organisation-wide). The theory proposed by Nonaka and Takeuchi (1995) is based on four modes of knowledge conversion (or the dynamic and continuous interaction between tacit and explicit knowledge). This is, in actual fact, ‘the engine’ of the knowledge-creation process. Each mode produces different outputs. This research report focuses on this process. The hypotheses presented in this paper are based on these knowledge-creation processes. The learning path in an organisation follows four cyclical stages (Nonaka & Takeuchi, 1995): employees share tacit knowledge; tacit knowledge is made explicit by formalising it (e.g. through creation of policy); formalised knowledge is disseminated (e.g. through awareness activities) and, finally, employees ‘learn by doing’, thus making explicit knowledge tacit through internalising it. The cycle then starts again, following an infinite loop.
This paper proposes a theoretical model to explain how awareness training influences behaviour. Since security is dependent on human behaviour, it makes sense to have a proper security awareness programme that takes this into account. Employees are often the greatest source of security breach, mostly due to ignorance. It is further proposed that, in order to ensure appropriate security behaviour, employees need explicit knowledge of security policies and tacit knowledge of how to enact the appropriate security behaviour. This paper therefore argues that future security awareness programmes must take this into account.
Figure 1 below puts the model described above in context and shows the actual mechanisms that will be tested. Firstly, users will undergo security awareness training (1). This will be in the form of exposure to security awareness material showing correct and incorrect behaviours. Thus the security message is made explicit and disseminated to users (2). As argued above, explicit knowledge also needs to be made tacit through users’ internalising it. So, after the awareness material is presented, users will be required to write a short test to measure the extent to which the message has been internalised (3). Thereafter, the actual behaviour of respondents is measured to test whether their behaviour has changed after awareness training (4) and, whether internalised knowledge (comprehension) is needed for appropriate behaviour (5).
Figure 1. Theoretical model explaining how security awareness training affects behaviour
To recap: the goal of the research was to determine what effect exposure to security awareness training has on end-user behaviour. Three hypotheses were tested.
- The first hypothesis is a composite construct made up of three sub-hypotheses. This hypothesis holds that end-user exposure to security awareness training has an effect on three specific security behaviours, namely:
- End-user exposure to security awareness training on appropriate information-handling improves secure handling of information.
- End-user exposure to security awareness training on acceptable usage of e-mail and Internet facilities diminishes Internet and e-mail abuse by end-users.
- End-user exposure to security awareness training on password management best practices improves secure handling of passwords by end-users.
- The second hypothesis holds that end-user exposure to security awareness training increases the internalisation of security knowledge.
- The third hypothesis holds that internalised security information is necessary for users to enact appropriate security behaviours.
This section will deal with the following aspects of research methodology – research approach, sampling, and statistical techniques employed.
4.1 Research Approach
Initially three particular security behaviours exhibited by control and experimental group members are measured. These behaviours are categorised as ‘Detrimental misuse’, ‘Naïve mistakes’ and Basic hygiene. These measurements are stored in the security behaviour scorecard (A) for each control group and experimental group member. Thereafter, the experimental group is exposed to the security awareness training film (delivered in three separate parts) and the associated security test (B). Control group members are not exposed to the training but are merely required to complete the security test (C). The security behaviours of the control and experimental group members are again measured and collated in the security behaviour scorecard (D). Thereafter the security behaviour scorecards are used as input to test the validity of the hypotheses proposed in this report using statistical techniques described in this paper (E).
The research approaches followed by the study on which this paper is based are presented in the following table. These include research steps (literature review) and research strategy (conceptual analysis, action research and case study).
Table 1: Research methods for answering the research hypothesis
|Research Step||Research Approach/Strategy|
|Introduction and literature review||Conceptual analysis|
|Research methods and results||Action research and case study|
This research used action research as the preferred research method. With action research, the problem is identified, a plan of action to address the problem is developed and implemented, and the data are collected and evaluated. The implications of the findings are discussed thereafter. Action research is suitable for looking at information systems methods in a practical setting and studying the appropriateness of the research in real-life.
Puhakainen (2006) maintains that action research is an empirical method allowing the researcher to be involved in solving the real, practical problems experienced by an organisation. Therefore, it follows that a case study was chosen as a strategy for this research. To correspond with action research, the question being examined occurs in the case study itself. The case study approach was also beneficial because this research was coupled with the existing information security awareness activities within the organisation.
Therefore, pairing the planned security awareness activities with this research provided a dual benefit: it provided both data for this research and security awareness training to employees on the AUP of the organisation. It also measures the effectiveness of such training for the organisation. In this sense, the organisation in question is able to decide whether or not the approach to awareness training was successful, and whether or not they should continue with the same strategy or try a different approach in the future. A research student of the author of this paper played an active role in executing the security awareness activities at the organisation as well as gathering the data that are the subject of this paper.
The organisation that was the subject of the case study is a South-African based company, headquartered in South Africa, but operating in various other countries. It has a staff complement of 5 726. Although approval from the organisation was obtained to carry out the research in the organisation, the company will remain anonymous in this report. As with all organisations, this one (hereafter referred to as Topaz CC) has concerns about internal security. This is especially true regarding the protection of customer information that the organisation stores and processes. Protection of such information (like other information) is mandated by South African law.
Topaz CC has fairly recently approved and promulgated a number of information security policies. One of the most important of these policies is the AUP. The AUP is a single document that covers the responsibilities of all end-users, including employees or third parties, accessing Topaz CC’s network (for example, consultants and suppliers). The organisation, like many others, had experienced a number of blatant violations of its AUP by employees. The first step was, therefore, to ensure that users were aware of their security responsibilities and what they should do to become more secure. Security awareness activities in the past at Topaz CC were sparse and haphazard. Awareness activities consisted of occasional emails that were sent to all employees on certain topics such as the clean desk policy, correct email usage, virus threats and phishing scams. Emails were used as this was considered the most efficient method of communication with all users. Consequently, end-users were bombarded by emails on a daily basis. The existing AUP was completed in 2006 and includes a user-friendly security guideline booklet. The AUP comprises various sections about end-user responsibilities such as: software and email usage, and mobile computing. For each section, the guideline booklet illustrates a scenario using cartoon strips in order to make the message more palatable for users. The booklet was distributed to end-users during 2006. During 2007, every two months, end-users received security emails on specific topics within the AUP.
Control and Experimental groups were used for the research design. The use of a control group is considered the most practical way to control nuisance variables. Therefore, the behavioural measurements described in this paper were calculated for both control and experimental group members. Candidates for the control and experimental groups were employees of the organisation. Thus the population (N) is 5 726. The organisation consists of a number of distinct strata, based on organisational departments with different sizes, cultures, and priorities. In addition to this, because of the nature of the organisation, there is a large number of contractors working in the organisation. Different group cultures exist, such as the different cultures of field engineers and call centre personnel. Due to the nature of the research the aim was to obtain as large a sample size as possible.
The criterion for choosing the groups was that all candidate members had to have Internet access. This was important since two of the behavioural measurements for testing Hypothesis 1a and 1b (‘Naïve mistakes’ and ‘Detrimental misuse’) measure end-user susceptibility to a phishing mail and Internet browse times. Thus, a list of all end-users who had Internet access was generated. This amounted to 8 600 entries and included system accounts as well as end-user accounts.
Many targets were excluded from the sample as they were invalid. For example, there were no browse times available for the end-user, some entries were system accounts or IP addresses, and some employees had only recently joined the organisation. Finally, executive accounts and persons associated with executives in some way were also removed. This was because the researcher wanted to ensure that these end-users were not interfered with in any way during the fieldwork. The final viable, sample size (n) was 2 144. Thereafter the list of end-users was split into control and experimental groups as follows: A random number (between 1 and 10 000) was generated and assigned to each end-user in the sample; the RANDBETWEEN Microsoft Excel function was used to generate the random numbers; the list of end-users was then sorted by their assigned random number from lowest to highest. Finally, the first half of the list (comprising 1 072 users) was allocated to the control group and the second set of 1 072 was allocated to the experimental group.
4.3 Statistical techniques employed
In most cases non-parametric statistical techniques were used. The reason is the different sample sizes obtained between control and experimental groups. In addition, some of the sample sizes (notably, the experimental groups) are much smaller than control group sizes. Thus, there is some concern about the normality of the data. The reason is that control group members had to complete the necessary security tests only, whereas the experimental groups had to watch a security film before completing the security test. Thus, experimental group members may have found this process too onerous. Where parametric tests have been used, the data meet their general assumptions namely: the samples are random and the observations are independent.
5. RESEARCH FINDINGS
The purpose of this section is to interpret the findings in terms of the hypotheses and the literature survey presented. Their meaning and implications will be explained in light of the objectives of this research, taking into account the theoretical model put forward by this paper. The limitations of this research will also be presented, as will a research agenda for scholars and practitioners.
5.1 FINDINGS FOR HYPOTHESIS 1
To recap, Hypothesis 1 is a composite construct made up of three sub-hypotheses. This hypothesis states that end-user exposure to security awareness training has an effect on three specific security behaviours as follows:
5.1.1 End-user exposure to security awareness training on appropriate information-handling improves secure handling of information.
The measurement of information-handling was translated into the category of ‘Naïve mistakes’. One behaviour within this category was measured, namely: susceptibility of end-users to be fooled by a phishing attack. Based on the data analysis, it is concluded that the impact of information security awareness training on this particular behaviour is not significant in this case study. It appears that exposure to training does not lead to a noticeable improvement in compliant behaviour. Awareness training appears insufficient to ensure end-user security compliant behaviour. Therefore, this sub-hypothesis is not supported, based on the data from this research.
5.1.2 End-user exposure to security awareness training on acceptable usage of e-mail and Internet facilities diminishes Internet and e-mail abuse by end-users.
The measurement of acceptable usage of Internet facilities was translated into a ‘Detrimental misuse’ category. One variable within this category was measured, namely: total Internet browse times by end-users over a two-week period. Based on the data analysis, it is concluded that, despite the lowered mean in the observed behaviour (improved browsed times), the difference is not statistically significant. The impact of information security awareness training on this particular behaviour is, therefore, not of any significance for this study. In this case, it seems exposure to training does not lead to a noticeable improvement in compliant behaviour. Awareness training appears insufficient to ensure end-user security compliant behaviour. Therefore, this sub-hypothesis is not supported.
5.1.3 End-user exposure to security awareness training on password management best practices improves secure handling of passwords by end-users.
The measurement of password management best practices was translated into a ‘Basic hygiene’ category. One variable, namely password strength, was measured. Based on the data analysis, it is concluded that no significant differences between control and experimental groups exist. The impact of information security awareness training on this behaviour is not significant. In this case, it seems that exposure to training does not lead to a noticeable improvement in compliant behaviour. Awareness training appears insufficient to ensure end-user security compliant behaviour in this regard. Therefore, this sub-hypothesis is not supported.
Based on the above results, Hypothesis 1 is rejected. The outcome of this research does not mean that information security awareness training has no impact on information security behaviour. In future, multiple variables may have to be examined to determine the broader impact of information security awareness training on information security behaviour. The implications are that information security awareness training appears to be too inadequate to ensure that end-user behaviour is compliant and to prevent non-compliant behaviour.
5.2 Findings for Hypothesis 2
The second hypothesis states that end-user exposure to security awareness training increases the internalisation of security knowledge. Three sets of scores were examined for this hypothesis, namely: control group and experimental group scores for Security Tests 1, 2 and 3. In each case, control group scores were compared to the experimental group scores. Based on the results, it appears that in all test scores undertaken by control and experimental group members, the experimental group scored higher than the control group. The implications of this are that the training seems to be effective in this case, as the end-users in the experimental group fared statistically better than the control group end-users. Therefore, within this organisation and based on the sample in this research, it appears that Hypothesis 2 is supported by the research findings.
5.3 Findings for Hypothesis 3
The final hypothesis proposes that internalised security information (as measured by Hypothesis 2), is necessary for users to enact appropriate security behaviours. Therefore one would expect end-users with high test scores to be associated with compliant security behaviours. After they had undergone training, the experimental group end-user data were analysed. The following questions were examined:
a) For ‘Naïve mistakes’ did those whose behaviour was compliant (i.e. they were not fooled by a phishing scam) have a significantly better score for Test 1 than those whose behaviour was not? The results indicate that, even though those with compliant behaviour obtained a higher mean test score than those with non-complaint behaviour, the difference is not statistically significant.
b) For ‘Basic hygiene’, did those whose behaviour was compliant (i.e. they chose stronger passwords) have a significantly better score for Test 1 than those whose behaviour was not? The results indicate that those with non-compliant behaviour scored higher in the test than those whose behaviour was compliant. The difference in scores is statistically significant. On the other hand, the group that was compliant had a very high mean score of 90%. In fact, both results (within the experimental group) were very high, which implies that internalised knowledge of security may be necessary but is not sufficient to prevent poor security behaviour in this case.
c) For ‘Detrimental misuse’, did those with compliant behaviour (i.e. they spent less time browsing) score better for Test 3 than those with non-compliant behaviour? There appears to be no association between better test scores and improved browse times.
It can, therefore, be concluded that obtaining a high score is not an indication of compliant security behaviour. Based on the data from this research, Hypothesis 3, therefore, cannot be supported.
6. Tenacity of Theoretical Model
Explicit knowledge was provided to end-users in the form of the security awareness training. This knowledge was also made implicit by requiring end-users to write a security test. When this implicit knowledge was measured, it was found that the training material had been internalised, as end-users who had undergone training, obtained higher test scores than those who had not. In that sense, the information security training was effective. However, the subsequently required compliant security behaviour was not apparent based on the data at hand. Based on the existing data, internalised knowledge of security requirements is not sufficient to influence the required behaviours. This has implications for the existing literature, as will be discussed later in this paper. Further studies should be conducted to verify the external validity of these findings.
7. RESEARCH LIMITATIONS
There are a number of extenuating circumstances and boundaries within this research which must be noted. Firstly, the instrument to measure ‘Detrimental misuse’ could be a considered a broadsword in some respects, as it measured internal browsing (i.e. browsing on the corporate Intranet) as well as Internet browsing. In addition, this particular behavioural measurement did not distinguish between ‘good’ browsing and ‘bad’ browsing. For example, Internet banking may be considered ‘good’ browsing, as opposed to online gaming which is considered a waste of company resources. The organisation’s AUP allows for business-related and even occasional personal browsing. However, it is not prescriptive about the limit and what would be considered acceptable.
For ‘Basic hygiene’, the passwords tested were already subjected to password complexity rules, which means that the system screens user-chosen passwords before accepting them. Thus users are unable to enter simplistic passwords such as ‘123’. Enforced password complexity may, therefore, have played a role in minimizing differences between control and experimental group members since both groups would have had to enter passwords of at least a basic level of complexity. Note that password complexity rules do not guarantee that strong passwords will be chosen by users. This is substantiated by the fact that before training a total of 922 passwords could be ‘cracked’ even with password complexity enabled on the system.
Finally, translating the organisation’s AUP into a film format was challenging since there was a lot of content that had to be taught. The film, therefore, had to be split into three 15-minute parts and shown to users at separate times. Consequently, user participation waned from the first to the third viewings. Despite coupling the awareness to a competition and sending out reminder emails to end-users, the response rate was lower than anticipated. Future research could couple this awareness training to the employee performance contract, for example, to ensure that a high response rate is achieved.
8. RESEARCH IMPLICATIONS
8.1 Literature implications
This research modifies the previous conclusions by researchers like McCoy and Fowler (2004) and Sommers and Robinson (2004) who found it too difficult to measure the effectiveness of their security awareness interventions and thus chose not to. This research has shown that measurement is plausible and can provide valuable results.
In addition, based on the data of this research, the outcome may not always be what one expects. In one sense this supports part of the conclusion reached by Anandapara, Dingman, Jakobsson, Liu & Roinestad (2007). Anandapara, et al. (2007) showed that, even though users underwent security education on phishing, the result was not an improved ability of participants to identify phishing scams, but rather increased suspicion of participants. So, in this respect, the research of Anandapara, et al. (2007) is confirmed. The findings of this study also support their research which concludes that obtaining a high test score does not signify a better ability to identify a phishing scam. This study also extends their research since actual behaviour is measured and it, therefore, may not be burdened with the subject-expectancy effect.
In addition, this research supports and extends the work of Srikwan and Jakobsson (2007) regarding the end-user’s need to understand the underlying threat when it comes to awareness and the lack of effective (online) education. Hypothesis 2 shows that the training administered was effective and end-user feedback was overwhelmingly positive.
On one level, this research modifies previous conclusions by scholars and practitioners who believe that educating users is futile (Evers, 2006; Nielsen, 2004; Ranum, 2005). Based on this research, it is clear that this view is too simplistic. This research has demonstrated that end-users showed an improved understanding of security, and compliant behaviour was demonstrated. However, compliant behaviour has not been linked solely to the outcome of awareness training. The results of this research suggest that, while awareness is necessary, it is not sufficient to ensure compliance by end-users. Proclamations by the aforementioned researchers are not helpful and confuse the nature of the problem even further. A more helpful question in this regard would be, for example: under what circumstances is educating users futile? Straub (1990) provides further evidence that awareness training is but one intervention necessary for compliance. He states that a combination of the dissemination of security material and publically known efforts to detect non-compliant behaviour will significantly deter such behaviour.
Ultimately, the answer may be to turn to social theories and look at aspects such as attitudes, which affect intentions, which eventually affect behaviour (Lee J. & Lee Y., 2002). The results of this research support the importance of such behavioural aspects that have been identified by previous researchers (such as Schultz, 2001; Siponen, 2001; Srikwan et al. 2007; Van Niekerk & Von Solms, 2004).
Perhaps the greatest contribution of this research is to support previous authors in the field of Behavioural Information Security, looking at what motivates security related behaviours. At face value, the results support further exploration by Kruger and Kearney (2005), who maintain that behaviour is determined by affect (a person’s emotions about something), behaviour (a person’s intention to act in a certain manner) and cognition (a person’s belief about an object). Pahnila, Siponen and Mahmood (2007) maintain that promoting positive social pressure supports actual compliance with policies. They say this should be done by stating explicitly what needs to be done. So, these could be contributing factors to increased compliance with policies. It is plausible that other factors, such as the values and beliefs of individuals may interfere with end-user behaviour. Thus, even though employees have fully comprehended the policy, they may not behave as required if there is a conflict with their own belief systems (Schlienger & Teufel, 2003). With respect to the health care community, it has been argued that a security culture needs to be entrenched for security to be effective. This requires, amongst other things, strong commitment from senior management, clear lines of accountability and responsibility (Gaunt, 2000; Kajava & Siponen, 1997; Mitnick & Simon, 2002). The problem is more complex than simply promoting awareness among employees: ethical considerations, external factors and how employees see the organisation may all play a role in influencing security complaint behaviour.
The outcome of this research also refutes conclusions made by Mitnick and Simon (2002) who assert that measuring employee behaviour is too difficult and could be flawed. This research has shown that, although the process may be complex, it is possible, and can be automated to a large degree. Further work on developing a reliable measurement framework based on previous authors’ studies as well as this study is plausible.
Finally, this research also supports and extends the conclusions by Vroom and Solms (2004): sharing one’s password (categorised as a ‘Naïve mistake’), was not associated with training and awareness. A further conclusion by the same scholars found that the behaviour of choosing strong passwords (‘Basic hygiene’) was associated with awareness and training. That conclusion, however, was not corroborated by this study. It must also be borne in mind that Stanton, Stam, Guzman and Caldera (2003) used a national survey for their study, whereas this research used direct-observation in a case study where actual user behaviour was measured. Therefore, this study extended the conclusions and research carried out by Dhillon (1999).
8.2 Implications for the Research Problem
According to Dhillon (1999), increasing awareness of security issues is the most cost-effective control that an organisation can implement. Research that contributes to the effectiveness of awareness will ultimately benefit organisations as a whole. It will allow them to focus on techniques that improve their employees’ intentions and ultimately shift end-user security behaviours towards a more benevolent state. The literature survey strongly implies that further research is needed in this respect. Diverse methods to be used for measuring different behaviours are also called for (Stanton et al., 2005) and have been demonstrated by this research. This research contributes to a standard set of instruments that could prove useful to practitioners in the future. The instruments used are more suitable to measuring behaviour requiring low technical expertise. On the other hand, measuring malicious types of behaviour will not be as easy to obtain, and so other methods will need to be used. This is believed to be considerably more challenging (Stanton et al., 2005).
The implications for practitioners are potentially significant. In order for organisations to implement affective Information Security, understanding by all employees within an organisation is needed. In addition, compliance with these policies is necessary and, in some cases, needs to be demonstrated by the Information Security function or Risk Management function within an organisation, in order to justify their activities. Taken at face value, the outcome of this research points to the fact that security awareness training while important, is not sufficient to prevent non-compliant behaviour and ensure compliant behaviour. Pragmatic guidance for practitioners when designing and implementing their information security awareness programmes is provided by this research.
The results of this research could also be financially beneficial to organisations: if it is further corroborated that Behavioural Security aspects such as attitude, positive reinforcement and so on are key, then organisations could channel their resources into the most cost-effective methods. Spending blindly on information security awareness campaigns without an appropriate measuring mechanism is not cost-effective. Thus it must be determined which techniques have the greatest impact on behaviour, which are most effective and which are inefficient and to be avoided. Shifting the intentions of employees to being more cooperative will ultimately benefit organisations. Thus the outcomes of this research should enable organisations to focus on techniques that improve their employees’ intentions and ultimately encourage more beneficial end-user security behaviours. In addition, this research contributes a set of tools or techniques that future scholars and practitioners could use and improve to measure end-user behaviour.
9. RESEARCH AGENDA
Security awareness training should influence all employees within an organisation to ensure that appropriate behaviour is enacted by all and that compliance with information security policies is achieved. To confirm this, the following questions should be explored further: In terms of explicit knowledge, what type of security awareness training is more likely to influence behaviour (i.e. how important is the quality of the awareness material and the mechanism of delivery?) How could practitioners more easily deliver the awareness message to ensure greater participation from end-users? The existing research used a novel way to distribute awareness material to end-user desktops. Standardised, cost-effective and automated mechanisms for gathering system-generated data (especially for behaviours requiring high levels of expertise) and their feasibility require additional investigation. The existing research demonstrated that automating this is possible using standard techniques and tools. In terms of implicit knowledge, further standardised mechanisms should be explored to determine how best to measure implicit knowledge, taking into account scientific principles of learning. What are the most effective learning principles and under what conditions are they effective? The status of employees within the organisation and the role this status plays in awareness training are important to determine in future research. Once users fully comprehend policies, are the same types of interventions necessary to sustain the required behaviours? This is important as it is likely to determine how often awareness interventions are required. Longitudinal studies in this regard would be necessary. An understanding is also needed of the influence of factors such as user attitude, perceptions and corporate politics on internalisation of the security awareness message and subsequent behaviour. Finally, further research is needed on a taxonomy of security behaviours, building even further on the work of Stanton et al. (2005).
This paper provides two major contributions. Firstly, it was shown that there is a shortage of in-depth information security awareness research and that behavioural concepts are not properly taken into account in security awareness programmes. There is a shortage of theoretical models explaining how awareness training affects behaviour. This study built on existing behavioural information security research and puts forward a theoretical model, based on an organisational learning model.
Secondly, this research tested the proposed model empirically using system-generated data as indicators of behaviour in a pre-test/post-test experimental design. Therefore, the perceptions of users of their own behaviour were not relied upon. Previous research has used interviews, surveys and ‘participatory observation’ to make conclusions about end-user behaviours in this regard. This study measured a subset of behaviours required by a typical AUP, whereas much of the previous and recent research with respect to awareness training effectiveness has focused on phishing related threats. The objective of this research was to determine the effectiveness of the information security awareness training that was administered to end-users. It has produced a set of instruments that could be used in future research for behavioural measurement. It is these items which the author believes sets this research apart from the existing literature and contributes to the resolution of the research problem. Such a model could help scholars and practitioners to understand why an awareness initiative is expected to have certain results on security behaviour and, consequently, provide practitioners with practical guidance for their information security programmes.
The results of this research found that the security awareness training was effective in terms of whether or not the end-users in question retained increased security knowledge. However, there was no evidence to suggest that security awareness by itself is sufficient for complaint behaviour by end-users. It is further maintained that security awareness training is a necessary, integral component that influences compliant behaviour but is not fully adequate. Practitioners must insist that their security awareness programmes are measured in terms of effectiveness and should focus on behavioural aspects to complement awareness initiatives.
LIST OF REFERENCES
Anandapara, V., Dingman, A., Jakobsson, M., Liu, D., & Roinestad, H. (2007). Phishing IQ tests measure fear, not ability. Usable Security (USEC’07). Available from: http://usablesecurity.org/papers/anandpara.pdf
Dhillon, G. (1999). Managing and controlling computer misuse. Information Management & Computer Security, 7(4), 171-175.
Drucker, P.F. (1993). Post-capitalist society. Oxford: Butterworth Heinemann.
Evers, J. (2006). Security Expert: User education is pointless. Retrieved 2007 from http://www.news.com/Security-expert-User-education-is-pointless/2100-7350_3-6125213.html?tag=item
Gaunt, N. (2000). Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2), 151-157.
Kabay, M.E. (2002), Using Social Psychology to Implement Security Policies. In Bosworth, S. & Kabay, M.E. (Eds.) Computer Security Handbook. (4th ed.).. USA: John Wiley & Sons, Inc.
Kajava, J., & Siponen, M.T. (1997). Effectively Implemented IS security Awareness – An Example from University Environment. Conference proceedings of the 13th International Conference on IS security: IS security Management – The Future, . Conducted by IFIP-TC 11 (Sec’97/WG 11.1)
Katsikas. S.K. (2000). Health care management and information systems security: awareness, training or education? International Journal of Medical Informatics, 60, 129-135.
Kruger H.A., & Kearney W.D. (2005). Measuring information security awareness: A West Africa Gold Mining environment case study. Peer-reviewed conference proceedings of the ISSA 2005 New Knowledge Today Conference held in Sandton, South Africa.
Lee J, & Lee Y. (2002). A holistic model of computer abuse within organizations. Information management & computer security, 10(2) 57-63.
McCoy, C., Fowler, R.T. (2004). You are the key to security: establishing a successful security awareness program. Conference proceedings of the 32nd annual ACM SIGUCCS conference on User services, held in Baltimore, Maryland.
Mitnick, K. D., & Simon, W.L. (2002). The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons.
Nielsen, J. (2004). User education is not the answer to security problems. Retrieved 2007 from http://www.useit.com/alertbox/20041025.html
Nonaka, I., & Takeuchi, H. (1995). The Knowledge Creating Company. New York: Oxford University Press.
OECD, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002). Retrieved 2006], from http://www.oecd.org/dataoecd/16/22/15582260.pdf
Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees’ Behavior towards IS Security Policy Compliance. Conference proceedings of the 40th Hawaii International Conference on System Sciences.
Peltier, T. (2000). How to build a comprehensive security awareness program. Computer Security Journal, 16(2), 23-32.
Puhakainen, P. (2006). A Design theory for information security awareness. Doctoral dissertation. University of Oulu.
Ranum, M. (2005). The six dumbest ideas in computer security. Retrieved 2007 from http://www.ranum.com/security/computer_security/editorials/dumb/
Schlienger, T., & Teufel, S. (2003). Information Security Culture – From Analysis to Change. Conference proceedings of the 3rd Annual Information Security South Africa Conference, held in Sandton, South Africa.
Schneier, B. (2000). Secrets & Lies. New York: Wiley Computer Publishing.
Schultz, E. (2001). Security training and awareness—fitting a square peg in a round hole. Computers & Security, 23(1), 1-2.
Siponen, M.T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31-41.
Siponen, M.T. (2001). Five dimensions of Information Security Awareness. Computers and Society, 32(2), 24-29.
Sommers, K. & Robinson, B. (2004). Security awareness training for students at Virginia Commonwealth University. Conference proceedings of the SIGUCCS’04, conference held in Baltimore, Maryland.
Srikwan, S. & Jakobsson, M. (2007). Using cartoons to teach Internet Security. Retrieved 2007 from http://www.informatics.indiana.edu/markus/documents/security-education.pdf
Stanton, J. M., Stam, K. R., Guzman, I., & Caldera, C. (2003). Examining the linkage between organizational commitment and information security. Conference proceedings of the IEEE Systems, Man, and Cybernetics Conference held in Washington, DC.
Stephanou, A. 2008. The impact of information security awareness training on information security behavio. Research report submitted to Faculty of Commerce, Law and Management, University of the Witwatersrand, in partial fulfilment of the requirements for the degree of Master of Commerce.
Stephanou, T. & Dagada, R. 2008. The impact of information security awareness training on iinformation security behavior: the case of further research. ISSA 2008 Conference. University of Johannesburg, 2 to 4 July 2008.
Straub, D.W. (1990). Effective IS Security: An Empirical Study. Information Systems Research 1(3), 255-276.
Van Niekerk, J. & Von Solms, R. (2004). Organisational learning models for information security. Peer-reviewed proceedings of the ISSA 2004 Enabling Tomorrow Conference held at Gallagher Estate, Midrand.
Von Solms B. Information Security – The Third Wave. Computers & Security, Vol. 19, 2000, pp 615 – 620.
Vroom, C., & Von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23, 191–198.