Toward Sustainable behaviour Change: an Approach for Cyber Security Education Training and Awareness

Effective information security education, training and awareness (SETA) is essential for protecting organisational information resources. Whilst most organisations invest significantly in implementing SETA programs, the number of incidents resulting from employee noncompliance with security policy are increasing. This trend may indicate that many current SETA programs are not as effective as they should be. We argue that existing SETA programs are not optimal in changing employee behaviour to comply with security policy as they lack a theoretical base that can inform and guide the development of SETA programs. This study draws on knowledge from the medical domain on the use of theory to design an intervention to bring about sustainable behaviour change. The paper therefore adopts an intervention design process, based on the behaviour change wheel (BCW) framework, to develop a theory-informed SETA development process. The paper demonstrates the use of BCW in the analysis of the target behaviour and the selection of suitable strategies and techniques to change the target behaviour. The proposed SETA development process provides a sound basis for future empirical work including focus groups and action research.

[1]  Robert West,et al.  The Behaviour Change Wheel: A Guide To Designing Interventions , 2014 .

[2]  Aad P. A. van Moorsel,et al.  SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment , 2014, HCI.

[3]  Kim Watkins,et al.  Post hoc evaluation of a common-sense intervention for asthma management in community pharmacy , 2016, BMJ Open.

[4]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[5]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[6]  Lina Zhou,et al.  Phishing environments, techniques, and countermeasures: A survey , 2017, Comput. Secur..

[7]  M. Whitman,et al.  Management Of Information Security , 2004 .

[8]  Evangelos A. Kiountouzis,et al.  Managing the introduction of information security awareness programmes in organisations , 2015, Eur. J. Inf. Syst..

[9]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[10]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[11]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[12]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[13]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[14]  Emily Anne Fulton,et al.  StopApp: Using the Behaviour Change Wheel to Develop an App to Increase Uptake and Attendance at NHS Stop Smoking Services , 2016, Healthcare.

[15]  Jeffrey D. Wall,et al.  Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy , 2013 .

[16]  J. Grimshaw,et al.  Developing theory-informed behaviour change interventions to implement evidence into practice: a systematic approach using the Theoretical Domains Framework , 2012, Implementation Science.

[17]  Sonia Chiasson,et al.  Why phishing still works: User strategies for combating phishing attacks , 2015, Int. J. Hum. Comput. Stud..

[18]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[19]  Paul van Schaik,et al.  The design and evaluation of a theory-based intervention to promote security behaviour against phishing , 2019, Int. J. Hum. Comput. Stud..

[20]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[21]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[22]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[23]  P. Briggs,et al.  Behavior Change Interventions for Cybersecurity , 2017 .

[24]  Michael H. Breitner,et al.  Employees' Information Security Awareness and Behavior: A Literature Review , 2013, 2013 46th Hawaii International Conference on System Sciences.

[25]  Nurul Nuha,et al.  Disclosure of Organizational Information by Employees on Facebook: Looking at the Potential for Information Security Risks , 2011 .

[26]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[27]  Ilango Krishnamurthi,et al.  A comprehensive and efficacious architecture for detecting phishing webpages , 2014, Comput. Secur..

[28]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[29]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[30]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[31]  Elmer Lastdrager,et al.  Achieving a consensual definition of phishing based on a systematic review of the literature , 2014, Crime Science.

[32]  S. Michie,et al.  The behaviour change wheel: A new method for characterising and designing behaviour change interventions , 2011, Implementation science : IS.

[33]  Aaron Striegel,et al.  An exploratory investigation of message-person congruence in information security awareness campaigns , 2014, Comput. Secur..

[34]  Sean B. Maynard,et al.  An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations , 2018, HICSS.

[35]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[36]  Özlem Müge Testik,et al.  Analysis of personal information security behavior and awareness , 2016, Comput. Secur..

[37]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[38]  Adam N. Joinson,et al.  Exploring susceptibility to phishing in the workplace , 2018, International Journal of Human-Computer Studies.

[39]  Dirk De Maeyer Setting up an Effective Information Security Awareness Programme , 2007, ISSE.

[40]  Muhammad Khurram Khan,et al.  Information Security Awareness Campaign: An Alternate Approach , 2011, ISA.

[41]  Michael Rosemann,et al.  Toward Improving the Relevance of Information Systems Research to Practice: The Role of Applicability Checks , 2008, MIS Q..

[42]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..