Effects on employees' information security abilities by e-learning

Purpose – The purpose of this paper is to measure and discuss the effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.Design/methodology/approach – The intervention study has a pre‐ and post‐assessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention (i.e. the e‐learning tool).Findings – The study documents significant short‐time improvements in security knowledge, awareness, and behavior of members of the intervention group.Research limitations/implications – The study looks at short‐time effects of the intervention. The paper has done a follow‐up study of the long‐term effects, which is also submitted to Information Management & Computer Security.Practical implications – The study can document that so...

[1]  R. Likert “Technique for the Measurement of Attitudes, A” , 2022, The SAGE Encyclopedia of Research Design.

[2]  Linda M. Goldenhar,et al.  Guide to Evaluating the Effectiveness of Strategies for Preventing Work Injuries: How to Show Whether a Safety Intervention Really Works , 2001 .

[3]  Steven Furnell,et al.  Why users cannot use security , 2005, Comput. Secur..

[4]  A. Hale,et al.  Individual behaviour in the control of danger. , 1987 .

[5]  Rossouw von Solms,et al.  Towards an Information Security Competence Maturity Model , 2006 .

[6]  Eirik Albrechtsen,et al.  Friend or foe? Information security management of employees , 2008 .

[7]  T. Kristensen Intervention studies in occupational epidemiology , 2005, Occupational and Environmental Medicine.

[8]  Josefinne Lund,et al.  Accident prevention. Presentation of a model placing emphasis on human, structural and cultural factors , 2004 .

[9]  Torbjørn Rundmo,et al.  Risk Attitudes and Behavior Among Norwegian Adolescents: The Effects of a Behavior Modification Prog , 2005 .

[10]  Chunming Rong,et al.  Protection against unauthorized access and computer crime in Norwegian enterprises , 2008, J. Comput. Secur..

[11]  Nils Brunsson The Organization of Hypocrisy: Talk, Decisions and Actions in Organizations , 1989 .

[12]  E. Eugene Schultz,et al.  The human factor in security , 2005, Comput. Secur..

[13]  Ortwin Renn,et al.  A New Approach to Risk Evaluation and Management: Risk‐Based, Precaution‐Based, and Discourse‐Based Strategies 1 , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[14]  H. Braverman Labor and Monopoly Capital: The Degradation of Work in the Twentieth Century , 1996 .

[15]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[16]  Terry L. Wiant,et al.  Information security policy's impact on reporting security incidents , 2005, Comput. Secur..

[17]  Jens Rasmussen,et al.  Risk management in a dynamic society: a modelling problem , 1997 .

[18]  P A Schulte,et al.  Intervention research in occupational health and safety. , 1994, Journal of occupational medicine. : official publication of the Industrial Medical Association.

[19]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[20]  Eugene Schultz Security training and awareness - fitting a square peg in a round hole , 2004, Comput. Secur..

[21]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[22]  E. Albrechtsen J.M. Hagen,et al.  Information security measures influencing user performance , 2008 .

[23]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[24]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[25]  Andy Ju An Wang,et al.  Building reusable information security courseware , 2005, InfoSecCD '05.