Abstract

The effectiveness of cybersecurity management programs is contingent on improving employee security behaviour. Security education, training, and awareness (SETA) programs aim to drive positive behaviour change in support of cybersecurity objectives. In this paper, we argue that existing SETA programs are suboptimal as they aim to improve employee knowledge acquisition rather than behaviour and belief. We apply social marketing principles to examine SETA practices across six organisations. We find that SETA programs fail to implement the key principles and concepts of social marketing that are essential for positive behaviour change. We therefore propose a novel development process for SETA based on a social marketing approach. We explain how the new approach can be used to develop SETA programs that are focused on behaviour change.

Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call