"Get a red-hot poker and open up my eyes, it's so boring"1: Employee perceptions of cybersecurity training

Abstract Organisations and security professionals design Security Education, Training, and Awareness (SETA) programs to improve cybersecurity behaviour, but they are often poorly received by employees. To understand employee negative perceptions of SETA programs, we conducted in-depth interviews with 20 Australian employees regarding their experiences with both SETA programs and non-cybersecurity related workplace training. As expected, employees had a generally poor view of SETA programs. They reported that the same factors that are important for effective non-cybersecurity training are also important for SETA programs, such as management role modelling and well-designed workplace systems. However, the level of importance of these factors differed across the two contexts. For example, employees indicated that the misbehaviour of their colleagues is a more important factor for their appraisal of a SETA program than it is for a non-cybersecurity workplace training program. Our results suggest that employee perceptions of SETA programs relate to their previously held beliefs about cybersecurity threats, the content and delivery of the training program, the behaviour of others around them, and features of their organisation. From an applied perspective, these findings can explain why employees often do not engage with cybersecurity training material, and how their current beliefs can influence their receptivity for future training.

[1]  V. A. Harris,et al.  The Attribution of Attitudes , 1967 .

[2]  D. Bannister,et al.  Personal construct theory: A summary and experimental paradigm , 1962 .

[3]  R. Weiss Learning from strangers : the art and method of qualitative interview studies , 1995 .

[4]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[5]  Yimin Guo,et al.  Optiwords: A new password policy for creating memorable and strong passwords , 2019, Comput. Secur..

[6]  Tom L. Roberts,et al.  Intentions to Comply Versus Intentions to Protect: A VIE Theory Approach to Understanding the Influence of Insiders' Awareness of Organizational SETA Efforts , 2018, Decis. Sci..

[7]  Kathryn Parsons,et al.  Whose Risk Is It Anyway: How Do Risk Perception and Organisational Commitment Affect Employee Information Security Awareness? , 2020, HCI.

[8]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[9]  Mary Frances Theofanos,et al.  Security Fatigue , 2016, IT Professional.

[10]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[11]  P. Delfabbro,et al.  Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue , 2021 .

[12]  Andrea Back,et al.  The dark side of social networking sites: Understanding phishing risks , 2016, Comput. Hum. Behav..

[13]  J. Sillince,et al.  Organizational learning and emotion: Constructing collective meaning in support of strategic themes , 2013 .

[14]  Dorota Bourne,et al.  The Repertory Grid Technique , 2018 .

[15]  K. Sanders,et al.  Employee perceptions of HR practices: A critical review and future directions , 2020 .

[16]  Malcolm Robert Pattinson,et al.  Matching training to individual learning styles improves information security awareness , 2019, Inf. Comput. Secur..

[17]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[18]  Dhananjay S. Phatak,et al.  How students reason about Cybersecurity concepts , 2016, 2016 IEEE Frontiers in Education Conference (FIE).

[19]  Kathryn Parsons,et al.  Securing mobile devices: Evaluating the relationship between risk perception, organisational commitment and information security awareness , 2017, HAISA.

[20]  Inho Hwang,et al.  Examining technostress creators and role stress as potential threats to employees' information security compliance , 2018, Comput. Hum. Behav..

[21]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .

[22]  Dustin Ormond,et al.  Don't Even Think About It! The Effects of Antineutralization, Informational, and Normative Communication on Information Security Compliance , 2018, J. Assoc. Inf. Syst..

[23]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[24]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[25]  M. Angela Sasse,et al.  "Shadow security" as a tool for the learning organization , 2015, CSOC.

[26]  Debi Ashenden In their own words: employee attitudes towards information security , 2018, Inf. Comput. Secur..

[28]  Winfred Yaokumah,et al.  SETA and Security Behavior: Mediating Role of Employee Relations, Monitoring, and Accountability , 2019, J. Glob. Inf. Manag..

[29]  Thomas F. Stafford,et al.  The role of internal audit and user training in information security policy compliance , 2018 .

[30]  Rupert Ward,et al.  Developing a General Extended Technology Acceptance Model for E-Learning (GETAMEL) by analysing commonly used external factors , 2016, Comput. Hum. Behav..

[31]  Clay Posey,et al.  When Computer Monitoring Backfires: Invasion of Privacy and Organizational Injustice as Precursors to Computer Abuse , 2011 .

[32]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[33]  Malcolm Robert Pattinson,et al.  Managing information security awareness at an Australian bank: a comparative study , 2017, Inf. Comput. Secur..

[34]  J. Maxwell Using Numbers in Qualitative Research , 2010 .

[35]  Jorge Tiago Martins,et al.  Information security: Listening to the perspective of organisational insiders , 2018, J. Inf. Sci..

[36]  Gurpreet Dhillon,et al.  Stakeholder perceptions of information security policy: Analyzing personal constructs , 2020, Int. J. Inf. Manag..

[37]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[38]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[39]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[40]  Stefan Bauer,et al.  Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks , 2017, Comput. Secur..