A Constructive Approach to Information Systems Security Training: An Action Research Experience

Information systems (IS) security breaches cause significant losses to organizations worldwide. Many approaches have been introduced in order to improve employees’ security behavior. Earlier research shows that only seven out of 59 approaches are based on sound theoretical background, and the research in the area of IS security awareness and security behavior has neglected the use of relevant theories of psychology, pedagogy and management. The lack of utilizing theories may have a negative impact on the effectiveness of IS security training and on understanding how to change and improve employees’ security behavior towards compliance to organizational information security policies. In this paper we describe a theoretically grounded approach to IS security training based on constructivism. The approach is empirically validated in a telecommunications company. The results show that the approach has a positive impact on employees’ security behavior.

[1]  Rebecca Herold,et al.  Managing an Information Security and Privacy Awareness and Training Program, Second Edition , 2010 .

[2]  Jeffrey M. Stanton,et al.  Motivational aspects of information security policies , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[3]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[4]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[5]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[6]  Angus Mcilwraith Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness , 2006 .

[7]  Sokratis K. Katsikas Health care management and information systems security: awareness, training or education? , 2000, Int. J. Medical Informatics.

[8]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[9]  L. Yngström,et al.  Security training and education for IT professionals. , 1996, International journal of bio-medical computing.

[10]  Richard Baskerville,et al.  Special issue on action research in information systems: making is research relevant to practice--foreword , 2004 .

[11]  F. Bjorck,et al.  Institutional theory: a new perspective for research into IS/IT security in organisations , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[12]  Robert Willison,et al.  Understanding the offender/environment dynamic for computer crimes: assessing the feasibility of applying criminological theory to the IS security context , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[13]  Trevor Wood-Harper,et al.  A critical perspective on action research as a method for information systems research , 1996, J. Inf. Technol..

[14]  Richard Baskerville,et al.  Investigating Information Systems with Action Research , 1999, Commun. Assoc. Inf. Syst..

[15]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[16]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[17]  D. C. Phillips The Good, the Bad, and the Ugly: The Many Faces of Constructivism , 1995 .

[18]  Lynn F. Fischer,et al.  Security education, awareness, and training : from theory to practice , 2006 .

[19]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[20]  Bernard Burnes Managing change : a strategic approach to organisational development and renewal , 1992 .

[21]  R. Power CSI/FBI computer crime and security survey , 2001 .

[22]  R. Ryan Nelson,et al.  The assessment of end-user training needs , 1995, CACM.

[23]  Richard Baskerville,et al.  A Design Theory for Secure Information Systems Design Methods , 2006, J. Assoc. Inf. Syst..

[24]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[25]  C. Fosnot Constructivism: a psychological theory of learning , 1996 .

[26]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[27]  D. Schunk Learning Theories: An Educational Perspective , 1991 .

[28]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[29]  Timothy P. Layton Information Security Awareness , 2005 .

[30]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[31]  Richard Baskerville,et al.  Diversity in information systems action research methods , 1998 .

[32]  Fredrik Björck,et al.  Institutional Theory: A New Perspective for Research into IS/IT Security in Organisations , 2004, HICSS.

[33]  Kevin McLean,et al.  Information Security Awareness - Selling the Cause , 1992, IFIP International Information Security Conference.

[34]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[35]  Mark B. Desman Building an Information Security Awareness Program , 2001 .

[36]  Roger Buckley,et al.  The Theory and Practice of Training , 1989 .

[37]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[38]  Kregg Aytes,et al.  A Research Model for Investigating Human Behavior Related to Computer Security , 2003, AMCIS.

[39]  Charles Cresson Wood,et al.  Policies alone do not constitute a sufficient awareness effort , 1997 .