Measures for improving information security management in organisations: the impact of training and awareness programmes

Security breaches have attracted corporate attention and major organisations are now determined to stop security breaches as they are detrimental to their success. Users’ security awareness and cautious behaviour play an important role in information security both within and outside the organisation. Arguably the most common factor contributing to these breaches is that of human behaviour towards security, which suggests that changes in human behaviour can have an impact on improving security. One of the measures suggested to modify employee behaviour is through training and awareness-raising. However, before effective training and awareness programmes can be developed to achieve this aim, it is essential to understand what factors influence user behaviour and attitudes to information security. For this study, interviews with employees within the public and private sector were conducted to explore factors that influence security behaviour when using information. Our findings offer some preliminary recognition of implications for the designs of more effective training and awareness programmes that assure and sustain, in the long term, the appropriate behaviour towards security. Keywords—Information security, awareness, security behaviour, training and awareness programme, qualitative research.

[1]  I. Ajzen The theory of planned behavior , 1991 .

[2]  Kieran Mathieson,et al.  Predicting User Intentions: Comparing the Technology Acceptance Model with the Theory of Planned Behavior , 1991, Inf. Syst. Res..

[3]  B. L. Driver,et al.  Application of the Theory of Planned Behavior to Leisure Choice. , 1992 .

[4]  Yannis Theodorakis,et al.  Theodorakis, Y. (1994). Planned behavior, attitude strength, role identity, and the prediction of exercise behavior. The Sport Psychologist, 8, 149-165. Planned behavior, attitude strength, role-identity, and the prediction of exercise behavior , 1994 .

[5]  K. Malterud Qualitative research: standards, challenges, and guidelines , 2001, The Lancet.

[6]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[7]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[8]  Pierre Valois,et al.  The pattern of influence of perceived behavioral control upon exercising behavior: An application of Ajzen's theory of planned behavior , 1993, Journal of Behavioral Medicine.

[9]  Simon Bennett Managing Maintenance Error: A Practical Guide , 2004 .

[10]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[11]  Lori N. K. Leonard,et al.  What influences IT ethical behavior intentions - planned behavior, reasoned action, perceived importance, or individual characteristics? , 2004, Inf. Manag..

[12]  Ping Wang,et al.  Knowing why and how to innovate with packaged business software , 2005, J. Inf. Technol..

[13]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[14]  P. Taylor-Gooby,et al.  Current Directions in Risk Research: New Developments in Psychology and Sociology , 2006, Risk analysis : an official publication of the Society for Risk Analysis.

[15]  Roland Gabriel,et al.  BORIS - Business-Oriented Management of Information Security , 2008, WEIS.

[16]  Andrew P. Lenaghan,et al.  Challenges and complexities of managing information security , 2009, Int. J. Electron. Secur. Digit. Forensics.

[17]  Sabine Bährer-Kohler Self Management of Chronic Disease , 2009 .

[18]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[19]  L. Lapointe,et al.  MOTIVATIONAL NEEDS AND IT ACCEPTANCE: THE NEED FOR A RICHER CONCEPTUALIZATION OF THE PERCEIVED USEFULNESS CONSTRUCT , 2009 .

[20]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[21]  Parviz Birjandi,et al.  The Role of Self-assessment in Promoting Iranian EFL Learners' Motivation , 2010 .

[22]  Michelle Marquard,et al.  Leadership behavior impact on employee engagement , 2010 .

[23]  Victoria Mahabi,et al.  Information Security Awareness: System Administrators and End-User Perspectives at Florida State University , 2010 .

[24]  Neil F. Doherty,et al.  Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy , 2011, Int. J. Inf. Manag..