Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study

Employee noncompliance with information systems security policies is a key concern for organizations. If users do not comply with IS security policies, security solutions lose their efficacy. Of the different IS security policy compliance approaches, training is the most commonly suggested in the literature. Yet, few of the existing studies about training to promote IS policy compliance utilize theory to explain what learning principles affect user compliance with IS security policies, or offer empirical evidence of their practical effectiveness. Consequently, there is a need for IS security training approaches that are theory-based and empirically evaluated. Accordingly, we propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action research intervention suggests that the theory-based training achieved positive results and was practical to deploy. Moreover, the intervention suggests that information security training should utilize contents and methods that activate and motivate the learners to systematic cognitive processing of information they receive during the training. In addition, the action research study made clear that a continuous communication process was also required to improve user IS security policy compliance. The findings of this study offer new insights for scholars and practitioners involved in IS security policy compliance.

[1]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[2]  J. Cacioppo,et al.  Source factors and the elaboration likelihood model of persuasion , 1984 .

[3]  John M. Ivancevich,et al.  Punishment in Organizations: A Review, Propositions, and Research Suggestions , 1980 .

[4]  William E. Perry,et al.  Management Strategies for Computer Security , 1985 .

[5]  Maria Elena Figueroa,et al.  Communication for social change: an integrated model for measuring the process and its outcomes. , 2002 .

[6]  Richard Baskerville,et al.  Diversity in information systems action research methods , 1998 .

[7]  I. Lakatos,et al.  Criticism and the Growth of Knowledge: Falsification and the Methodology of Scientific Research Programmes , 1970 .

[8]  Richard Barber,et al.  The Secured Enterprise: Protecting Your Information Assets , 2002 .

[9]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[10]  John O. Wylder,et al.  Improving Security from the Ground Up , 2003, Inf. Secur. J. A Glob. Perspect..

[11]  J. Cacioppo,et al.  Attitudes and Persuasion: Classic and Contemporary Approaches , 1981 .

[12]  D. Hung Theories of Learning and Computer-Mediated Instructional Technologies , 2001 .

[13]  G. Dhillon Managing information system security , 1997 .

[14]  Andrew Cox,et al.  Raising information security awareness in the academic setting , 2001 .

[15]  Everett M. Rogers,et al.  Communication Networks: Toward a New Paradigm for Research , 1980 .

[16]  Pär Mårtensson,et al.  Dialogical Action Research at Omega Corporation , 2004, MIS Q..

[17]  Howard Gardner,et al.  Changing Minds: The Art and Science of Changing Our Own and Other People's Minds , 2004 .

[18]  S. Engel Thought and Language , 1964 .

[19]  D MyersMichael,et al.  Special issue on action research in information systems , 2004 .

[20]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[21]  A. Greenwald 6 – Cognitive Learning, Cognitive Response to Persuasion, and Attitude Change1 , 1968 .

[22]  J. Cacioppo,et al.  Issue Involvement As a Moderator of the Effects on Attitude of Advertising Content and Context , 1981 .

[23]  Mikko T. Siponen,et al.  On the Role of Human Morality in Information System Security: The Problems of Descriptivism and Non-descriptive Foundations , 2000, SEC.

[24]  J. Bruner Actual minds, possible worlds , 1985 .

[25]  James O. Carey,et al.  The systematic design of instruction , 1978 .

[26]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[27]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[28]  Larry Laudan,et al.  Science and Values , 1986 .

[29]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..

[30]  J. Schweitzer Security awareness , 1986, PCS '86.

[31]  Mark Anderson-Wilk,et al.  Communicating highway safety : what works , 2002 .

[32]  E. Guba,et al.  Fourth Generation Evaluation , 1989 .

[33]  Jan Killmeyer,et al.  Information Security Architecture , 2000 .

[34]  Kevin McLean,et al.  Information Security Awareness - Selling the Cause , 1992, IFIP International Information Security Conference.

[35]  Mark B. Desman Building an Information Security Awareness Program , 2001 .

[36]  Ronald L. Akers,et al.  Criminological Theories : Introduction, Evaluation, and Application , 2000 .

[37]  Richard Baskerville,et al.  Special issue on action research in information systems: making is research relevant to practice--foreword , 2004 .

[38]  Gerd Bohner,et al.  Attitudes and attitude change. , 2002, Annual review of psychology.

[39]  Berenika M Webster,et al.  UKOLUG98: New Networks, Old Information - UKOLUG's 20th Birthday Conference, Manchester 14-16th July 1998 , 1998 .

[40]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[41]  James R. Rest Background: theory and research , 1994 .

[42]  Robert Glaser,et al.  THE DESIGN OF INSTRUCTION. , 1966 .

[43]  Geoff Walsham,et al.  Doing interpretive research , 2006, Eur. J. Inf. Syst..

[44]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[45]  I. Lakatos Falsification and the Methodology of Scientific Research Programmes , 1976 .

[46]  P. Senge,et al.  The Fifth Discipline Fieldbook , 1994 .

[47]  Richard Baskerville,et al.  Investigating Information Systems with Action Research , 1999, Commun. Assoc. Inf. Syst..

[48]  John T. Cacioppo,et al.  The Elaboration Likelihood Model of Persuasion , 1986, Advances in Experimental Social Psychology.

[49]  Anna De Fina,et al.  The ethnographic interview , 2019, The Routledge Handbook of Linguistic Ethnography.

[50]  Nick Gaunt,et al.  Installing an appropriate information security policy , 1998, Int. J. Medical Informatics.

[51]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[52]  G. Kearns The effect of top management support of SISP on strategic is management : insights from the US electric power industry , 2006 .

[53]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .

[54]  D. Kolb Experiential Learning: Experience as the Source of Learning and Development , 1983 .

[55]  R. Gagne Conditions of Learning , 1965 .

[56]  Charles Cresson Wood,et al.  Information Security Awareness Raising Methods , 1995 .

[57]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[58]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[59]  W. M. Guire 7 – Personality and Attitude Change: An Information-Processing Theory , 1968 .

[60]  K. Hambridge Action research. , 2000, Professional nurse.

[61]  K. Popper,et al.  The Logic of Scientific Discovery , 1960 .

[62]  R. Paton,et al.  Change Management: A Guide to Effective Implementation , 1992 .