“Generic and unusable”1: Understanding employee perceptions of cybersecurity training and measuring advice fatigue

Abstract

Security Education Training and Awareness (SETA) programs often fail to reduce organisational cyber risk, and this is linked to the way that employees perceive and appraise such programs. Rather than improving employee awareness, a poorly implemented SETA program may cause fatigue and result in risky cyber behaviours. This paper describes two studies aimed respectively at examining how SETA programs can lead to fatigue and development of a measure of SETA Advice-Related Cybersecurity Fatigue. In Study 1, a repertory grid technique was used to examine employee responses to a series of SETA videos. A total of 24 in-depth semi-structured interviews were conducted with individuals from a variety of industries. Key themes related to the content, style, and design, of cybersecurity training videos, but also employees’ perceived characteristics of the intended audience and broader preconceptions of cybersecurity principles. In Study 2, we developed the Cybersecurity Advice Fatigue Scale (CAFS) Scale, a self-report measure of the fatigue which results from poor cybersecurity advice. A principal component analysis of CAFS scores for 457 working adults revealed a five-factor structure that broadly aligns with the themes identified by the qualitative analyses of Study 1. The results of both studies highlight that employees make inferences about the corporate motivation behind the SETA program, and this influences their receptivity to the content. From an applied perspective, cybersecurity practitioners can use the CAFS to identify features of their cybersecurity training programs which should be improved to enhance the program's efficacy.