Search results

As insiders remain to be a main reason behind security breaches, effective information security awareness campaigns become critical in protecting organizations from security incidents. The purpose of this paper is to identify factors that influence organizational adoption and acceptance of computer-based security awareness training tools.

The paper uses content analysis of online reviews of the top ten computer-based security awareness training tools that received Gartner peer insights Customers’ Choice 2019 award.

This study identifies nine critical adoption and success factors. These are synthesized into a conceptual framework based on the technology–organization–environment framework. The findings reveal that technological, organizational and environmental factors come into play in adoption decisions but with varying degrees of importance.

This study highlights key factors that technology vendors should take into consideration when designing computer-based security awareness training tools to increase adoption rates.

This research offers a novel contribution to the literature on information security awareness delivery methods by identifying key factors that influence organizational adoption and acceptance of computer-based security awareness training tools. Those factors were identified using content analysis of online reviews, which is a new methodological approach to the information security awareness literature.

The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT).

Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided.

College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources.

Universities can assess their ISAT for students based on the findings of this study.

If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.

The purpose of this paper is to measure and discuss the effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.

The intervention study has a pre‐ and post‐assessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention (i.e. the e‐learning tool).

The study documents significant short‐time improvements in security knowledge, awareness, and behavior of members of the intervention group.

The study looks at short‐time effects of the intervention. The paper has done a follow‐up study of the long‐term effects, which is also submitted to Information Management & Computer Security.

The study can document that software that support Information Security Awareness programs have a short‐time effect on employees' knowledge, behaviour, and awareness; more interventions studies, following the same principles as presented in this paper, of other user‐directed measures are needed, to test and document the effects of different measures.

The paper is innovative in the area of information security research as it shows how the effects of an information security intervention can be measured.

The purpose of this paper is to measure and discuss the long‐term effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.

The intervention study had two assessments of knowledge and attitudes among employees: one survey, one week before the intervention, and one survey eight months after the intervention. The population was divided into an intervention group and a control group, where the only separated the groups was participation in the intervention (i.e. the e‐learning tool).

The study documents that the effects of the intervention on security awareness and behavior partly remains more than half a year after the intervention, but that the detailed knowledge on information security issues diminished during the period. The study also discusses how such courseware can contribute to long‐term organizational learning compared with human interventions such as action research. Both human resource management and internal promotion are necessary input in the process to successfully educate and train employees in information security.

One weakness of concern is the low response rate of 37 in the final analysis.

The study can document that short‐time effects of software supported information security awareness on employees' knowledge, behaviour, and awareness diminish over time. It is thus important to maintain and continually perform information security awareness. More interventions studies, following the same principles as presented in this paper, of other user‐directed measures is needed, to test and document the effects of different measures.

The paper is innovative in the area of information security research as it shows how an information security intervention can be measured.

The purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme.

An interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis.

The paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge.

This study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.

The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance.

The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data.

The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements.

Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs.

This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

The purpose of this study is to gain more insight into the impact of cybercrime incidents in the banking sector of Pakistan. This study investigates the significant contribution of information security awareness on the relationship of cybercrimes and organizational performance.

The impact of cybercrime incidents on organizational performance is investigated by further exploring the moderating effects of information security awareness. A sample of 302 employees in the banking industry of Pakistan was studied by using survey design.

Cybercrime incidents have negative impact on organizational performance, but information security awareness weakens the negative impact of cybercrimes on organizational performance.

The present study focuses on the banking sector so its finding cannot be generalized in other sectors. Further, in-depth comparative studies in other sectors with different cultural settings will help to authenticate the research findings.

Information security awareness weakens the negative impact of cybercrimes on organizational performance; therefore, it is important for banks’ HR managers to set up more security training courses to increase employees’ awareness on cybercrimes.

This study explores the impact of cybercrimes on banks’ performance with the moderating role of employees’ information security awareness. Linking these topics has created a new study within the cybercrimes discipline. The present study also enhances the understanding of employees’ role to combat the impact of cybercrimes on organizational performance.

Through the use of effective training techniques and exercises, employees and users can be educated on how to make safe information security decisions. It is critical to the success of a total information security program that users are trained properly as they are a major layer of defense against malicious intent. The current methods of training people about information security are failing, and the number of user-related breaches increases every year.

By researching and observing current methods and comparing other fields of study, this paper describes the best methodology for modifying user behavior as it pertains to information security.

Through effective training practices, user negligence can be mitigated and controlled, and the information security program can be better practiced throughout entire organizations.

By using an effective training method to teach employees about information security, employees become an invaluable part of a company’s overall information security strategy. By using this method, employees are no longer the weak link in information security.

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.

To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.

Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.

Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

Recently, the spread of malicious IT has been causing serious privacy threats to mobile device users, which hampers the efficient use of mobile devices for individual and business. To understand the privacy security assurance behavior of mobile device users, this study aims to develop a theoretical model based on technology threat avoidance theory (TTAT), to capture motivation factors in predicting mobile device user’s voluntary adoption of security defensive software.

A survey is conducted to validate the proposed research model. A total of 284 valid survey data are collected and partial least square (PLS)-based structural equation modeling is used to test the model.

Results highlight that both privacy concern and coping appraisal have a significant impact on the intention to adopt the security defensive software. Meanwhile, privacy security awareness is a crucial determinant to stimulate mobile device user’s threat and coping appraisal processes in the voluntary context. The results indicate that emotional-based coping appraisal of anticipated regret is also imperative to arouse personal intention to adopt the security tool.

This result should be of interest to practitioners. Information security awareness training and education programs should be developed in a variety of forms to intensify personal security knowledge and skills. Besides, emotion-based warnings can be designed to arouse users’ protection behavior.

This paper embeds TTAT theory within the mobile security context. The authors extent TTAT by taking anticipated regret into consideration to capture emotional-based coping appraisal, and information security awareness is employed as the antecedent factor. The extent offers a useful starting point for the further empirical study of emotion elements in the information security context.