WHAT , I SHOULDN ’ T HAVE DONE THAT ? : THE INFLUENCE OF TRAINING AND JUST-INTIME REMINDERS ON SECURE BEHAVIOR Completed Research Paper

Organizations often implement Security Education, Training, and Awareness (SETA) programs to help improve secure behavior. SETA programs can be multifaceted; however, organizations often take a “one-size-fits-all” approach to improve security, without understanding how different SETA components influence behavior. In this research, we explain how two common SETA program components—online training and reminders—influence behavior through discrete theoretical mechanisms. First, we hypothesize that online training influences behavior through improving beliefs and intentions. However, because of dual-task interference, the relationship between beliefs and intentions may be hindered. We then explain how just-in-time reminders can help overcome dual-task interference and influence behavior directly. We test our hypotheses in a realistic experiment that operationalizes secure behavior as sensitive information disclosure. Our results confirm that training influences beliefs and intentions, and reminders influence behavior directly. Theoretical and practical implications are discussed regarding the use of multi-faceted SETA programs to improve actual secure behavior.

[1]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[2]  R. Marois,et al.  Dual-task interference in visual working memory: A limitation in storage capacity but not in encoding or retrieval , 2009, Attention, perception & psychophysics.

[3]  Robert H. Logie,et al.  Visual mental image generation does not overlap with visual short-term memory: A dual-task interference study , 2012, Memory & cognition.

[4]  Iring Koch,et al.  The role of crosstalk in dual-task performance: evidence from manipulating response-code overlap , 2009, Psychological research.

[5]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[6]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[7]  C. W. Telford The refractory phase of voluntary and associative responses , 1931 .

[8]  D. Navon,et al.  Role of outcome conflict in dual-task interference. , 1987, Journal of experimental psychology. Human perception and performance.

[9]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[10]  Sam Ransbotham,et al.  The Effects of Information Disclosure Policy on the Diffusion of Security Attacks , 2012, ICIS.

[11]  R. Billings,et al.  Use of path analysis in industrial/organizational psychology: Criticisms and suggestions. , 1978 .

[12]  Jeffrey L. Jenkins,et al.  Forget the Fluff: Examining How Media Richness Influences the Impact of Information Security Training on Secure Behavior , 2012, 2012 45th Hawaii International Conference on System Sciences.

[13]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[14]  H. Pashler,et al.  Saccadic Eye Movements and Dual-Task Interference , 1993, The Quarterly journal of experimental psychology. A, Human experimental psychology.

[15]  Paul Benjamin Lowry,et al.  Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals , 2014, Inf. Technol. Dev..

[16]  D. Navon,et al.  Queuing or Sharing? A Critical Evaluation of the Single-Bottleneck Notion , 2002, Cognitive Psychology.

[17]  Jay F. Nunamaker,et al.  Detecting Fake Websites: The Contribution of Statistical Learning Theory , 2010, MIS Q..

[18]  Shanton Chang,et al.  Information Leakage through Online Social Networking: Opening the Doorway for Advanced Persistence Threats , 2010, AISM 2010.

[19]  Christopher L. Asplund,et al.  Isolation of a Central Bottleneck of Information Processing with Time-Resolved fMRI , 2006, Neuron.

[20]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[21]  David G. Pearson,et al.  Effects of Dual Task Interference on Memory Intrusions for Affective Images , 2011 .

[22]  Jay F. Nunamaker,et al.  Encouraging Users to Behave Securely: Examining the Influence of Technical, Managerial, and Educational Controls on Users' Secure Behavior , 2010, ICIS.

[23]  John Sweller,et al.  Cognitive Load During Problem Solving: Effects on Learning , 1988, Cogn. Sci..

[24]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[25]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[26]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[27]  Zdenek Kotásek,et al.  I-path analysis , 1993, Proceedings ETC 93 Third European Test Conference.

[28]  A. Vandierendonck,et al.  Task switching: interplay of reconfiguration and interference control. , 2010, Psychological bulletin.

[29]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[30]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[31]  Lorrie Faith Cranor,et al.  A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[32]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[33]  Andrew Cox,et al.  Raising information security awareness in the academic setting , 2001 .

[34]  Richard G. Carson,et al.  Dual-task interference: Attentional and neurophysiological influences , 2009, Behavioural Brain Research.

[35]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[36]  A. Bandura Regulation of cognitive processes through perceived self-efficacy. , 1989 .

[37]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[38]  I. Ajzen The theory of planned behavior , 1991 .

[39]  P. Jolicoeur,et al.  A central capacity sharing model of dual-task performance. , 2003, Journal of experimental psychology. Human perception and performance.

[40]  M. Sigman,et al.  Dynamics of the Central Bottleneck: Dual-Task and Task Uncertainty , 2006, PLoS biology.

[41]  H. Pashler Dual-task interference in simple tasks: data and theory. , 1994, Psychological bulletin.

[42]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[43]  Alan R. Dennis,et al.  Research Note: Individual Cognition and Dual-Task Interference in Group Support Systems , 2006, Inf. Syst. Res..

[44]  R. Marois,et al.  Capacity limits of information processing in the brain , 2005, Trends in Cognitive Sciences.

[45]  L. Pezzin,et al.  Just-in-time evidence-based e-mail "reminders" in home health care: impact on nurse practices. , 2005, Health services research.

[46]  Iris Vessey,et al.  The Role of Cognitive Fit in the Relationship Between Software Comprehension and Modification , 2006, MIS Q..

[47]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[48]  Majken Schultz,et al.  Does Culture Really Matter? Reexamining the Role of Culture in Organization Studies , 2012 .

[49]  Alexandra Durcikova,et al.  Simplicity is Bliss: Controlling Extraneous Cognitive Load in Online Security Training to Promote Secure Behavior , 2013, J. Organ. End User Comput..

[50]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[51]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[52]  H. Pashler Do response modality effects support multiprocessor models of divided attention? , 1990, Journal of experimental psychology. Human perception and performance.

[53]  Bruce Schneier,et al.  The psychology of security , 2007, CACM.

[54]  Jerald Greenberg,et al.  The College Sophomore as Guinea Pig: Setting the Record Straight , 1987 .

[55]  G O Barnett,et al.  “Just‐in‐time” clinical information , 1997, Academic medicine : journal of the Association of American Medical Colleges.

[56]  R. Hollinger,et al.  Deterrence in the workplace: perceived certainty, perceived severity, and employee theft. , 1983, Social forces; a scientific medium of social study and interpretation.

[57]  Yu Zhang,et al.  Adaptive Security Dialogs for Improved Security Behavior of Users , 2009, INTERACT.

[58]  Lorrie Faith Cranor,et al.  Improving Computer Security Dialogs , 2011, INTERACT.

[59]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[60]  M. Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007 .

[61]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[62]  Alan R. Dennis,et al.  Conducting Experimental Research in Information Systems , 2001, Commun. Assoc. Inf. Syst..

[63]  José Carlos Brustoloni,et al.  Improving security decisions with polymorphic and audited dialogs , 2007, SOUPS '07.

[64]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[65]  I. Ajzen,et al.  Attitudinal and normative variables as predictors of specific behavior. , 1973 .