Security Education, Training, And Awareness Research Articles

Optimism bias in susceptibility to phishing attacks: an empirical study

Purpose Researchers looking for ways to change the insecure behaviour that results in phishing have considered multiple possible reasons for such behaviour. Therefore, the purpose of this paper is to understand the role of optimism bias (OB – defined as a cognitive bias), which characterises overly optimistic or unrealistic individuals, to ensure secure behaviour. Research that focused on issues such as personality traits, trust, attitude and Security, Education, Training and Awareness (SETA) was considered. Design/methodology/approach This study built on a recontextualized version of the theory of planned behaviour to evaluate the influence that optimism bias has on phishing susceptibility. To model the data, an analysis was performed on 226 survey responses from a South African financial services organisation using partial least squares (PLS) path modelling. Findings This study found that overly optimistic employees were inclined to behave insecurely, while factors such as attitude and trust significantly influenced the intention to behave securely. Practical implications Our contribution to practice seeks to enhance the effectiveness of SETA by identifying and addressing the optimism bias weakness to deliver a more successful training outcome. Originality/value Our study enriches the Information Systems literature by evaluating the effect of a cognitive bias on phishing susceptibility and offers a contextual explanation of the resultant behaviour.

Fortifying Healthcare: An Action Research Approach to Developing an Effective SETA Program

Organizations continue to use security education training and awareness (SETA) programs to reduce the number of cybersecurity incidents related to phishing. A large healthcare organization contacted the authors to share that they continued to struggle with the efficacy of their traditional training program and to ask whether we could design a better program. Using an action research methodology, we designed a new training program using self-regulation theory. We tested this new training with an experiment using a sample of 307 medical and administrative staff. The results of chi-square tests comparing the click rate of phishing emails before and after the training showed that the new SETA program was more effective than the existing SETA program (overall medical staff χ2 = 4.87, p < 0.05; overall administrative staff χ2 = 16.04, p < 0.05). The results also showed differences between medical and office staff regarding the effectiveness of training. The research shows the effectiveness of self-regulatory theory in SETA training and how this approach leads to significant improvement vs traditional methods of training. The research also points to new emerging issues in security training research.

An Empirical Study of SETA Program Sustaining Educational Sector’s Information Security vs. Information Systems Misuse

Information systems misuse and data breaches are among the most common information security threats at the organisational and individual levels. Security, Education, Training and Awareness (SETA) program can be effective tools in addressing and preventing such risks for sustaining the educational sector’s information security, although it is costly to implement and achieves limited results. Several studies have shown that SETA implementation can improve corporate employees’ information security protection behaviours. This study adopts the method of quantitative research, deterrence theory with selected perceived cost and information security awareness (ISA) as intermediate variables and explores how SETA programs affect information system abuse on campuses. The results show that implementing the SETA program positively impacts perceived cost and ISA; perceived cost and information security positively impact reducing misuse behaviour of information systems. At last, we provide rationalisation suggestions for individual students and schools to help SETA programs to be better implemented.

Critical success factors for Security Education, Training and Awareness (SETA) programme effectiveness: an empirical comparison of practitioner perspectives

PurposeCyber security has never been more important than it is today in an ever more connected and pervasive digital world. However, frequently reported shortages of suitably skilled and trained information system (IS)/cyber security professionals elevate the importance of delivering effective Security Education,Training and Awareness (SETA) programmes within organisations. Therefore, the purpose of this study is the questionable effectiveness of SETA programmes at changing employee behaviour and an absence of empirical studies on the critical success factors (CSFs) for SETA programme effectiveness.Design/methodology/approachThis exploratory study follows a three-stage research design to give voice to practitioners with SETA programme expertise. Data is gathered in Stage 1 using semi-structured interviews with 20 key informants (the emergence of the CSFs), in Stage 2 from 65 respondents to a short online survey (the ranking of the CSFs) and in Stage 3 using semi-structured interviews with nine IS/cyber security practitioners (the emergence of the guiding principles). Using a multi-stage research design allows the authors to propose and evaluate the 11 CSFs for SETA programme effectiveness.FindingsThis study conducted a mean score analysis to evaluate the level of importance of each CSF within two independent groups of IS/cyber security professionals. This multi-stage analysis produces a ranked list of 11 CSFs for SETA programme effectiveness, while the difference in the rankings leads to the emergence of five CSF-specific guiding principles (to increase the likelihood of delivering an effective SETA programme within an organisational context). This analysis also reveals that most of the contradictions/differences in CSF rankings between IS/cyber security practitioners are linked to the design phase of the SETA programme life cycle. While two CSFs, “maintain quarterly evaluation of employee performance” (CSF-DS6) and “build security awareness campaigns” (CSF-EV1), represent the most significant contradiction in this study.Originality/valueThe 11 CSFs for SETA programme effectiveness, along with the five CSF-specific guiding principles, provide a greater depth of knowledge contributing to both theory and practice and lays the foundation for future studies. Therefore, the outputs of this study provide valuable insights on the areas that practice needs to get right to deliver effective SETA programmes.

How Effective are SETA Programs Anyway: Learning and Forgetting in Security Awareness Training

Prevalent security threats caused by human errors necessitate security education, training, and awareness (SETA) programs in organizations. Despite strong theoretical foundations in behavioral cybersecurity, field evidence on the effectiveness of SETA programs in mitigating actual threats is scarce. Specifically, with a broad range of cybersecurity knowledge crammed into in a single SETA session, it is unclear how effective different types of knowledge are in mitigating human errors in a longitudinal setting. his study investigates how knowledge gained through SETA programs affects human errors in cybersecurity to fill the longitudinal void. In a baseline experiment, we establish that SETA programs reduce phishing susceptibility by 50%, whereas the training intensity does not affect the rate. In a follow-up experiment, we find that SETA programs can increase employees’ cybersecurity knowledge by 12-17%, but the increment wears off within a month. Furthermore, technical-level knowledge decays faster than application-level knowledge. The longer “shelf-life” of application-level knowledge explains why training intensity makes no difference within a month. This study reveals a (relatively) more effective component of SETA programs and cast doubts on the overall effectiveness of SETA programs in the long run.

The critical success factors for Security Education, Training and Awareness (SETA) program effectiveness: a lifecycle model

PurposeThis study explores the critical success factors (CSFs) for Security Education, Training and Awareness (SETA) program effectiveness. The questionable effectiveness of SETA programs at changing employee behavior and an absence of empirical studies on the CSFs for SETA program effectiveness is the key motivation for this study.Design/methodology/approachThis exploratory study follows a systematic inductive approach to concept development. The methodology adopts the “key informant” approach to give voice to practitioners with SETA program expertise. Data are gathered using semi-structured interviews with 20 key informants from various geographic locations including the Gulf nations, Middle East, USA, UK and Ireland.FindingsIn this study, the analysis of these key informant interviews, following an inductive open, axial and selective coding approach, produces 11 CSFs for SETA program effectiveness. These CSFs are mapped along the phases of a SETA program lifecycle (design, development, implementation and evaluation) and nine relationships identified between the CSFs (within and across the lifecycle phases) are highlighted. The CSFs and CSFs' relationships are visualized in a Lifecycle Model of CSFs for SETA program effectiveness.Originality/valueThis research advances the first comprehensive conceptualization of the CSFs for SETA program effectiveness. The Lifecycle Model of CSFs for SETA program effectiveness provides valuable insights into the process of introducing and sustaining an effective SETA program in practice. The Lifecycle Model contributes to both theory and practice and lays the foundation for future studies.

“Generic and unusable”1: Understanding employee perceptions of cybersecurity training and measuring advice fatigue

Security Education Training and Awareness (SETA) programs often fail to reduce organisational cyber risk, and this is linked to the way that employees perceive and appraise such programs. Rather than improving employee awareness, a poorly implemented SETA program may cause fatigue and result in risky cyber behaviours. This paper describes two studies aimed respectively at examining how SETA programs can lead to fatigue and development of a measure of SETA Advice-Related Cybersecurity Fatigue. In Study 1, a repertory grid technique was used to examine employee responses to a series of SETA videos. A total of 24 in-depth semi-structured interviews were conducted with individuals from a variety of industries. Key themes related to the content, style, and design, of cybersecurity training videos, but also employees’ perceived characteristics of the intended audience and broader preconceptions of cybersecurity principles. In Study 2, we developed the Cybersecurity Advice Fatigue Scale (CAFS) Scale, a self-report measure of the fatigue which results from poor cybersecurity advice. A principal component analysis of CAFS scores for 457 working adults revealed a five-factor structure that broadly aligns with the themes identified by the qualitative analyses of Study 1. The results of both studies highlight that employees make inferences about the corporate motivation behind the SETA program, and this influences their receptivity to the content. From an applied perspective, cybersecurity practitioners can use the CAFS to identify features of their cybersecurity training programs which should be improved to enhance the program's efficacy.

The effects of knowledge mechanisms on employees' information security threat construal

AbstractOrganisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

The impact of SETA event attributes on employees’ security-related Intentions: An event system theory perspective

Current research recommends security education, training, and awareness (SETA) programs as an effective way to counter internal security threats and promote employees’ security behaviors. Contrary to the dominant approach, which views SETA as a simple, single construct, we argue that the attributes of SETA are the key determinants of the programs’ impact on individuals. More specifically, we bridge this gap by using event system theory (EST) to conceptualize SETA programs as “organization events” and empirically test the role of SETA attributes in affecting employees’ intentions to comply with security policy (i.e., in-role behavioral intentions) and extra-role behavioral intentions. The results of this research advance the understanding of SETA attributes and their impacts on employees’ compliance intentions and extra-role behavioral intentions from the EST perspective. The results suggest that the novelty of SETA event is more effective in fueling extra-role behavioral intention than compliance intention. The results also suggest that criticality exerts a similar positive influence on both compliance and extra-role behavioral intention, while the disruption of SETA event has a significant negative effect on these two intentions. Further, there is evidence that the negative relationship between SETA event disruption and two security behavioral intentions is stronger when the SETA event is dispersed throughout a wide range of organizational hierarchy levels. The expected research and practical implications are also discussed in the paper.

Passive and active training approaches for critical infrastructure protection

In order to strengthen Critical Infrastructure's protection and resilience, it is central to invest in training and simulations, to spread a security culture and develop the awareness among all personnel involved in the Critical Infrastructure security. Nowadays, attackers represent a major threat due to the combination of both cyber and kinetic operations, targeting human factors vulnerabilities. It is also critical to develop and straighten a “human firewall” inside critical organizations through the enhancement of Security Education, Training and Awareness (SETA) and stresses the need for the development of a security culture inside organizations. In such scenarios, today, the awareness within organizations, both in public and private sector, is achieved through passive and active training techniques. A hybrid approach is proposed as a powerful compromise between the two that can best deliver the desired level of awareness and meet the needs and satisfaction of employees. Adopting a balanced mix of techniques that comprise engagement-based and less interactive methods seems to be the best way to attain security awareness.

“Get a red-hot poker and open up my eyes, it's so boring”1: Employee perceptions of cybersecurity training

Organisations and security professionals design Security Education, Training, and Awareness (SETA) programs to improve cybersecurity behaviour, but they are often poorly received by employees. To understand employee negative perceptions of SETA programs, we conducted in-depth interviews with 20 Australian employees regarding their experiences with both SETA programs and non-cybersecurity related workplace training. As expected, employees had a generally poor view of SETA programs. They reported that the same factors that are important for effective non-cybersecurity training are also important for SETA programs, such as management role modelling and well-designed workplace systems. However, the level of importance of these factors differed across the two contexts. For example, employees indicated that the misbehaviour of their colleagues is a more important factor for their appraisal of a SETA program than it is for a non-cybersecurity workplace training program. Our results suggest that employee perceptions of SETA programs relate to their previously held beliefs about cybersecurity threats, the content and delivery of the training program, the behaviour of others around them, and features of their organisation. From an applied perspective, these findings can explain why employees often do not engage with cybersecurity training material, and how their current beliefs can influence their receptivity for future training.

Hospital Staff's Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables.

Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff’s adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff’s ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff’s perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff’s ISP compliance intention accordingly.

Applying social marketing to evaluate current security education training and awareness programs in organisations

The effectiveness of cybersecurity management programs is contingent on improving employee security behaviour. Security education, training, and awareness (SETA) programs aim to drive positive behaviour change in support of cybersecurity objectives. In this paper, we argue that existing SETA programs are suboptimal as they aim to improve employee knowledge acquisition rather than behaviour and belief. We apply social marketing principles to examine SETA practices across six organisations. We find that SETA programs fail to implement the key principles and concepts of social marketing that are essential for positive behaviour change. We therefore propose a novel development process for SETA based on a social marketing approach. We explain how the new approach can be used to develop SETA programs that are focused on behaviour change.

Exploring IS security themes: a literature analysis

ABSTRACT This study presents a literature review of the Information Systems (IS) security field. The purpose of this review is to identify IS 'security themes'. Articulating IS 'security themes' can assist in making effective decisions and reducing risks faced by organisations. This review analyses 87 journal articles from the AIS Senior Scholars' Basket of Journals, and journals recommended by the AIS Special Interest Group in Information Security and Privacy (SIGSEC). An inductive approach to open coding was followed which led to the emergence of twelve IS 'security themes'. Based on our analysis, we found significant research focus on certain 'security themes' (e.g. IS Security Policy, IS Security Behaviour, IS Security Management, and IS Security Awareness) over others (e.g. IS Security Knowledge, IS Security Ethics, and IS Security Investment). We also examine the role of Security Education, Training, and Awareness (SETA) programmes across the IS 'security themes' and provide some initial observations.

Using susceptibility claims to motivate behaviour change in IT security

ABSTRACT Organisations face growing IT security risks with substantial consequences for missteps in business continuity, data loss, reputational harm, and future competitive advantage. To improve precaution-taking among organisation members, leaders frequently turn to susceptibility claims embedded in security education, training, and awareness (SETA) initiatives to motivate change. However, prior studies have produced mixed empirical results concerning the role of susceptibility in motivating precaution-taking. To deepen theorising about using susceptibility claims to change behaviour, we argue that threat characteristics (overt versus furtive attacks) shape individuals’ attitudes of the threat, and these attitudes subsequently anchor how individuals respond to new claims about the threats. We introduce social judgement theory (SJT) to argue that when individuals participate in SETA initiatives, susceptibility claims that are too distant from individuals’ existing attitudes will be ignored, while claims that are more proximal are more likely to be accepted and result in behaviour change. Using a longitudinal field experiment, we found that susceptibility claims motivated precaution taking against phishing (overt attack) but did not against password cracking (furtive attack). These results support SJT predictions and imply latitudes of acceptability and rejection into which susceptibility claims are placed. Implications for researchers, organisation leaders, and SETA developers are discussed.

An Examination of Gain- and Loss-Framed Messaging on Smart Home Security Training Programs

The Internet of Things (IoT) has gained popularity among home consumers due to its characteristics related to automation, information gathering, and purported physical security benefits. In an effort to capitalize on an expanding market, IoT developers have rushed products to market without proper due diligence regarding device cybersecurity. By being more focused on the utility and convenience of IoT devices without being concerned about their devices’ inherent security flaws, consumers may be unwittingly putting themselves at risk. Gain- and loss-framed messaging has been an extensively studied form of persuasive communication in other research fields but has not been previously examined in the context of information security research. Using an experimental design, we assess the efficacy of applying gain- and loss-framed principles to a security education training and awareness (SETA) program designed to bolster IoT users’ concerns related to pertinent IoT-based threats and provide information about their corresponding countermeasures. We found that for consumers with low initial IoT security concerns, loss-framed messaging is more effective in increasing security concerns. For consumers with higher initial concerns, messages focusing on desirable outcomes, regardless of an overall gain- or loss-framed message valence, are effective at increasing IoT security concerns.

PetroLogistics II to build new PDH plant at undecided location on the Gulf Coast

Information security violations have negative organizational and personal impacts. Studies that examine key factors to motivate individuals to change their security-related behaviours are important to promote safe and secure computing. Drawing on protection motivation theory (PMT), this research aims to investigate the antecedents of threat and coping appraisals in relation to the individuals' information security protection intention among university students. It contributes to a better understanding of users' information security awareness through an examination of the impact of security education, training and awareness (SETA) programme on information security threat and countermeasures awareness and the role of information security awareness as an antecedent to the cognitive processes associated with coping and threat appraisals. In addition, this research contributes to extend PMT by investigating the role of fear and maladaptive rewards in explaining information security behaviours.

Leader power and employees’ information security policy compliance

Dependence on mobile and outside networks exposes businesses to information leakages by insiders, increasing the importance of information security. Consequently, companies need to implement security education training and awareness (SETA) programs, to ensure employees comply with information security policies (ISPs). The influence of supervisor leadership on the effectiveness of such programs has received little empirical attention. This study empirically analyzes the moderating role of leader power bases effect in the relationship between SETA programs and employees’ ISP compliance intention using WarpPLS 5.0. The moderating effects differ by leader power base type, and expertise, reward, and legitimate power have a positive impact on the relationship. The findings have theoretical and practical implications for the execution of SETA programs and creation of organizational environments in the context of information security.

Examining employee security violations: moral disengagement and its environmental influences

Purpose Employee security behaviors are the cornerstone for achieving holistic organizational information security. Recent studies in the information systems (IS) security literature have used neutralization and moral disengagement (MD) perspectives to examine employee rationalizations of noncompliant security behaviors. Extending this prior work, the purpose of this paper is to identify mechanisms of security education, training, and awareness (SETA) programs and deterrence as well as employees’ organizational commitment in influencing MD of security policy violations and develop a theoretical model to test the proposed relationships. Design/methodology/approach The authors validate and test the model using the data collected from six large multinational organizations in Korea using survey-based methodology. The model was empirically analyzed by structural equation modeling. Findings The results suggest that security policy awareness (PA) plays a central role in reducing MD of security policy violations and that the certainty of punishment and immediacy of enforcing penalties are instrumental toward reducing such MD; however, the higher severity of penalties does not have an influence. The findings also suggest that SETA programs are an important mechanism in creating security PA. Originality/value The paper expands the literature in IS security that has examined the role of moral evaluations. Drawing upon MD theory and social cognitive theory, the paper points to the central role of SETA and security PA in reducing MD of security policy violations, and ultimately the likelihood of this behavior. The paper not only contributes to theory but also provides important insights for practice.

Some password users are more equal than others: Towards customisation of online security initiatives

Background: Online security is a growing concern and user authentication through passwords remains an important mechanism to protect online assets. Research to date has highlighted the need to address human behaviour but without an indication of where the emphasis of security education, training and awareness (SETA) initiatives should be, beyond improved password practices. Objectives: The aim of this study was to, through analysis of the password behaviour of South African online consumers: (1) understand the prevalence of poor password practices among consumers overall and (2) identify specific password deficiencies prevalent among different demographic groups to be focus areas for tailored intervention programmes. Method: The study uses a quantitative research approach. An online survey was used to gather demographic data, perceptions about online security and applied password practices. A sample of 737 valid responses was analysed for this research. Results: Based on the descriptive analysis of the responses three key observations were made. Firstly, there is a distinct difference in the incidence of poor password practices for all respondents and thus support for tailored interventions. Secondly, there are variances between the practices within different demographic groups that could be used for customisation of interventions. Finally, the different poor practices cannot be uniquely attributed to one particular set of demographics. Conclusion: The study concluded that to improve computer password security in South Africa, password SETA programmes should be customised for areas where individual needs exist and not merely per password practice or demographic group.