An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations
An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations
net/publication/322634101
CITATIONS READS
27 2,648
4 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Moneer Alshaikh on 11 November 2019.
Page 5086
1). The interviewees were chosen for their level of data shows the differences between ad-hoc and formal
experience in the area. The questions were aimed at approach that organizations adopt to the
investigating how these experts implemented their implementation of six key ISTA activities: identify
ISTA programs within their organizations. The ISTA program needs, develop ISTA program plan,
interviews lasted approximately 60 minutes on establish ISTA program development team, develop
average. Participants were asked to describe the ISTA materials, conduct ISTA program and review
activities they undertake to manage the organization’s ISTA program.
ISTA program. Participants reported on their current 4.1.1 Identify ISTA Program Needs. Identify the
organizations, but also mentioned their experience needs for ISTA Program is one of the key practices
from past organizations, giving more data on diverse that has been reported by the participants. The formal
types of organizations. Participants were asked follow- approach to this practice involves using various inputs
up questions via Email where required. The to identify the needs. Mng1, CISO2, Mng3 and Mng4
participants come from different organizational size reported that policy, incident reports, risk assessment,
and industry. threat intelligence, and users’ feedback are used to
Table 1. Background study participant details identify the needs for ISTA program. For instance,
Mng4 stated: “There are numerous inputs.
ID Role Industry Years of Understanding the threat landscape: what is currently
Experience happening or what's being advertised. There's also a
CISO1 Chief Information Government 15+ component around what incidents have we seen in the
Security Officer past, be they to our organization or to other industries
Mng1 Security Manager IT Services 5+ or organizations. we also look at what user feedback
Mng2 Senior Security Insurance 20+ we are receiving. If people are actually saying that
Manager these are their concerns--these are their issues, we'll
CISO2 Chief Information Automotive 10+ also feed that into it, as well. Then, also, the strategic
Security Officer direction of where the ISO wants to build capability.
Mng3 Security Awareness Banking 10+ That will really dictate more or less the key areas.”
Manager In the ad-hoc approach, organizations only use
Mng4 Security Awareness Banking 9+ policy to identify the needs. CISO1 and Mng2 stated
Manager that in their organizations only policy is used as an
input to identify the needs for ISTA.
4. Findings 4.1.2 Develop ISTA Program Plan. While all the
six participants acknowledge the importance of
A qualitative data analysis approach was adopted in planning for ISTA, the extent to which planning is
this study as per [33]. The interviews were transcribed formalized depends on the circumstances and the
from audio recording and detailed analysis was characteristics of the organization. CISO2, Mng3 and
undertaken to gain an understanding of what Mng4 stated that there are thorough planning activities,
managerial activities the participants undertake as part covering long term (strategic) and short term (tactical)
of their jobs. This resulted in approximately 80 pages aspects of ISTA. Mng3 stated: “we set objectives for
of transcribed text. The collected data was coded short campaigns, ‘security and fraud week’ is
sentence-by-sentence to identify themes. The grounded developed to achieve specific objectives. We also have
theory analysis technique was employed to analyse the very high-level objectives that we'd like to achieve for
data. A coding process consisting of open, axial and the overall ISTA program”
selective coding was used to identify themes related to Mng1, Mng2 and CISO1 reported that their
how an ISTA program is implemented in organizations tended to take an ad-hoc approach for
organizations. Four themes were identified: ad-hoc vs. ISTA planning. They reported that there is some
formal approach to ISTA activities, lack of planning, however, it is neither comprehensive, nor
motivational aspects in ISTA programs, competition formal. Planning covers a few high-level elements such
for employees’ attention and difficulty to measure the as scheduling of activities. Mng2 stated that, “We
effectiveness of the ISTA program. This section don’t have a formal plan for the program, we just have
presents evidence related these four themes. schedule for activities, but it needs improvement”
This variation can be contributed to the maturity
4.1 Ad-hoc vs. Formal ISTA Activities and size of the organization as well as aspects of
management support and the availability of resources
(including time and personnel).
The findings of this study provided insight on how
ISTA activities are conducted in organizations. The
Page 5087
4.1.3 Establish ISTA Program Development Organizations that follow a formal approach,
Team. All participants agreed that the delegation of however, implement several types of ISTA program
roles and responsibilities around ISTA is a key activity. training besides mandatory online training. These
Organizations that implement ISTA in a formal ISTA types include ongoing awareness campaigns,
approach usually have a dedicated team for ISTA. Half training for specific groups/ teams and an intensive
of the participants stated that they have a formal team awareness campaign over a day or a week. CISO2
consisting of three to four members. Mng1 states: reports: “every month we have awareness messages
“There is a team responsible for security training and which comes in the form of email or poster”. Mgr3
awareness. They have the responsibility to create the also comments: “we have a focused security awareness
training material, publishing it on the CBT learning program for specific employees. For example, in my
portal. And tracking completion”. job at the Banking sector, we have specific ISTA
Organizations that implement ISTA activities in an programs for call centre people”. Mng4 also states:
ad-hoc approach do not have a dedicated team and “we have an annual security awareness week. That's
responsibilities for ISTA are undertaken by members run right across the group”.
of the organization’s security team. CISO1 stated: “At 4.1.5 Review ISTA Program. Organizations that
my last organization, [Bank], we had a team called the use a formal approach to review the ISTA program use
learning and development team. They were responsible various techniques to check the effectiveness of their
for managing all CBT or classroom based training. ISTA such as (1) measuring security awareness
[…] but in my current organization, we don't have indications (i.e. the number of reports of security
learning and development unit”. incidents and number of incidents from threats
CISO1 further provided justification for not having addressed in the ISTA program), (2) Performing
dedicated team in his organization. He stated that phishing simulations, (3) Testing the knowledge of
because the size of his organization is small, it does not employees prior to, and subsequent to, training, (4)
have a dedicated team for ISTA: “That is probably Conducting internal and/or external audits for the ISTA
more of a reflection of the size of our organization. We program. Organizations that implement ISTA using an
are not quite big enough to have a dedicated team to ad-hoc approach did not report activities to measure
this task”. the effectiveness of their ISTA program. They only
4.1.3 Develop ISTA Materials. The study relied on statistics generated by CBT software that
participants agreed that developing ISTA materials is relate to the number of employees who completed the
an essential practice which they undertake as part of training and how many times they have undertaken this
their role in managing ISTA. Only respondents from type of training. Information about completion rates of
organizations that implement ISTA in using formal CBT was used to show managers and auditors (internal
approach reported the involvement of stakeholders in and external) that the organization has fulfilled
the development of ISTA materials. Once materials are compliance requirements.
developed, they are shared with representative
stakeholders to review and provide feedback. For 4.2 Lack of ISTA Motivational Aspects
instance, Mng3 and Mng4 stated that they solicit input
from stakeholders during the development of ISTA The ISTA literature outlines that an effective ISTA
materials: “we create the material and send it to the program should consist of three main aspects:
stakeholders, and then we ask them to provide knowledge, motivation and attitude. These three
feedback on the materials, revise it, and publish it”. aspects are vital to change the employees’ behaviour
After feedback is received and incorporated, the towards information security and therefore protect
material will be ready for use as part of the organizations from insider threats caused by
organization’s ISTA program. employees’ noncompliance with security policies.
On the other hand, organizations that implement However, a finding of this study indicates that ISTA
ISTA activities using an ad-hoc approach did not programs in many organizations focus on only
report any involvement of stakeholders. providing knowledge about security whilst overlooking
4.1.4 Conduct ISTA. Respondents from how to improve employee motivation towards security.
organizations that implement ISTA using an ad-hoc The study participants stated that, from the
approach reported that they only conduct mandatory organizational perspective, their ISTA programs have
security training for all employees using computer no motivational aspects and are only seen as a
based training (CBT). CISO1 reports: “we have compliance requirement that is mandatory for every
mandatory online training that everyone must employee to undertake once a year. Mng1 states: “I
complete”. don’t think we do any motivation. We do more of
Page 5088
ensuring compliance by showing people what they CISO2 argued the engaging employees in ISTA
need to know from the organization’s policies”. activities proves to be an effective strategy to motive
4.2.1 Suggestions to Increase Motivation. The employees and change their perceptions of information
study participants provided several suggestions and security.
recommendations on how to motivate employees to Relating information security to an employee’s
change their behaviour and perceptions towards personal life is another way to motivate. For example,
information security and complying with security when raising employees’ awareness about the
policies. Participants reported that these suggestions organization’s policies on the use of social media
and recommendations were learned through experience (Facebook, Twitter …etc.), the organization should
and trial and error of what worked and what did not ensure that the awareness program makes references to
work during many years managing the ISTA program issues like personal and children safety when using
in their organizations. social media. Mng3 reports: “If we are running
CISO2 reported that to motivate people, they tried training on social media, we make sure it's about
to communicate the importance of ISTA to protect the enabling them to be more secure on their personal
organizations from various type of risks: “We focus on social media sites, or talk to their parents or children
explaining the consequences of not following the about secure social media use. We find that making
organization’s policies on the business and various that personally relevant is a really good motivator to
types of risks”. Understanding the types of risks to the get staff to come along and be interested and engaged
organization information systems helps to motivate in the session”.
employees to attend ISTA to be aware of the
organization’s policies which will enable them to 4.3 Competing for employees’ attention
perform their job in secure manner.
“Awareness teams have always developed material An unexpected finding from this study was the fact
based on a compliance and policy risk culture rather that organizations face a challenge in that employees
than a true business enablement culture, so there's a only have a limited amount of attention that can be
real opportunity for us to change the conversation and devoted to ISTA. As organizations have become more
sit down with the business and say, ‘These are the governed by rules and regulations, the amount of
risks. This is how security helps you. How can we training of employees has increased and employees
properly develop and create content that is consumable now must be trained about occupational health and
for you, supports your teams, and also facilitate better safety, sexual harassment, discrimination, privacy etc.
customer experience’” Mng4 This has created a situation where there is competition
Effective communication, building trust, and good for employees’ attention amongst various
relationships motivate employees and makes them organizational functions. CISO2 points out: “There's
actively seek to secure the organization’s resources and competition now within organizations to get the
increases reporting of suspicious activities and security attention of employees and to hold their attention for
incidents. Mng3 states that this has significant effects your security awareness program to be effective. It's
on motivating employees to participate in an ISTA very difficult these days. Throughout the year, they go
program: “Instead of giving them information at the through many training programs. They come back to
wrong time, we motivate them to come to us and to me and say, ‘Do you have any idea how many training
enable them to identify when to seek help, and then to sessions go through’”.
be able to come to us and to communicate their needs”. The consequence of such competition between
Mng4 agrees stating: “our job is to enable the business, various functions inside the organization for the
once our employees understand that, through effective attention of employees is that it is difficult for
communication and trust building, it’ll be easy for us employees to focus and remember the information
to ask them to be involved in our ISTA activities”. provided in ISTA sessions. CISO1 states: “There's too
Engaging employees in ISTA activities such as much information, information overflow. So, if they
identifying ISTA program needs, the development of [employees] go and come out of our training, they
ISTA materials, and the implementation and evaluation forget immediately everything we taught them. They
of ISTA program is also reported as a motivational forget as they have to move on to something else and
strategy. Three participants stated that gaining get ready for more training in two days”.
employees’ feedback during ISTA material 4.3.1 Recommendations to overcome this
development is useful as it gives them a sense of challenge. The study participants provided several
ownership. Also, the collection of feedback from strategies: First, using multiple delivery methods and
employees about their training also enhances their being creative and innovative in how the organization
involvement with the ISTA program. Mng3, Mng4 and delivers their ISTA program. “You've got to be
Page 5089
innovative in the way that you reach out to your program) “…more number of calls show that people
colleagues, constantly refresh themes to try and get the are understanding risks and they are reporting it”
attention of workforce using things like comic heroes, Mng3.
and quizzes, and giving away gifts and toys to people b) Testing the knowledge of employee pre and
to try to maintain the interest” Mng3. post training attendance: “We perform adhoc testing to
Second, increase the effectiveness of the ISTA check whether a person has understood the policy”
program by to reducing content and increasing Mng1. The participants stated that understanding the
motivation. “We reduced the content and increased policy involves what a policy statement means and
motivational aspects, making us more approachable. how to apply it.
That was the most important thing after having c) Performing phishing simulations:
realized that with all the competition we've got” Mng3. Organizations may hire consultants to “send fake spam
Third, focus on employees who deal with sensitive or phishing email or malware to the organization
information and processes. The main target in some network. It does not impact it, but tests how employees
organizations is to identify those people and develop react. It is just to check the implementation of security
an ISTA program that targets them to safeguard the training and awareness program in the organization”
information and processes they deal with in their job. Mng4. The aim of such an exercise is “to check
CISO2 states: “We had to let go of the people that [whether] (1) the organization’s system or control
didn't have confidential information. That was biggest detect it or not? (2) what does the users do, click on it
thing, I think. To let go of those and really concentrate or report it? If they are aware of this risk and they
on those people who dealt with confidential have understood [the training] they will not click and
information”. Mng4 agrees: “We do a targeted report it to helpdesk” Mng4.
campaign for those people who are dealing with very d) Collecting feedback from stakeholders:
sensitive or very critical information. We do more Employees’ feedback is also an important indication of
frequent, more high-touch awareness training and the effectiveness of the program. Therefore, Mng3
campaigning with that particular group of stated that they capture qualitative feedback from the
stakeholders”. stakeholders about the program’s materials and
Fourth, find the right balance between getting delivery methods.
people’s attention and overwhelming them with ISTA CISO2, Mng3 and Mng4 stated that it is very
activities. “Too much awareness is not good, people challenging to accurately measure the effectiveness of
are getting confused. We've got to try and get a their organization’s ISTA programs. Mng3 stated that
balance, but you don't want to do it so frequently that “It's [ISTA evaluation] arguably the hardest area. We
people become fatigued. We are vying for their use metrics but these metrics can only provide
attention like many other parties in the organization. indication of the success of the ISTA program. At the
You don't want it to feel like spam and become end of the day we deal with very complex issue human
overwhelming. It's really important that we strike the behaviour!”
right balance” CISO2. Mng3 and Mng4 suggested that organizations
Last, to overcome the problem of employees’ should use a combination of effectiveness checking
limited time and attention is to investigate successful techniques to enable them to some extent measure the
ISTA programs in organizations that have similar risk effectiveness of their ISTA program. They also added
landscapes. “What I've been finding when I've talked to that organizations should investigate and identify the
other organizations that have had successful best techniques to evaluate their ISTA program which
awareness campaigns,” Mng3. are suitable to their organizational context. For
example, organizations may develop an evaluation
4.4 Measuring the Effectiveness of ISTA survey that focuses on measuring employees’
behaviour and knowledge of issues around risks related
The findings of this study show that organizations to the organization industry, or common security
recognize the importance of evaluating their ISTA incidents. Like organizations tailoring their ISTA
program. Respondents, especially in large program with respect to their ISTA needs, it is also
organizations, reported that they employ various vital to tailor effectiveness checking techniques
methods to measure effectiveness of ISTA and to because techniques that work for one organization may
monitor the changes to employee behaviour. These not necessarily work for others.
include:
a) Measuring security awareness indications (i.e.
the number of reports of security incidents and number
of incidents from threats addressed in the ISTA
Page 5090
5. Discussion importantly, statistics around training completion are
not good indications of the employee awareness levels.
The main contribution of this study is to address the Second, variations to the implementation of ISTA
need for empirical evidence in the area by providing can be contributed to the maturity and size of the
insight into how ISTA activities have been organization as well as aspects of management support
institutionalized, and how well they have been and the availability of resources (including time,
resourced, within organizations. This research has budget, and personnel). Respondents from large
identified that the implementation of ISTA activities in organizations reported that they formally implement
different organizational contexts is approached either the set of activities where ISTA takes place. Whilst in
formally or in an ad-hoc manner. Further, significant small organizations, because of a lack of resources,
differences between the approaches across key ISTA training and awareness activities are dealt with more
practices were observed. The findings provide informally and occasionally may not be done at all.
recommendations and suggestions on how to: increase Although the data suggested that small organizations
motivational aspects of ISTA, overcome the challenge usually adopt an ad-hoc approach and large
of competition on employees’ attention, and overcome organizations tend to have a more formal and
the difficulty of measuring the effectiveness of the structured approach, we cannot generalize this and
ISTA program. conclude this is the case for all organizations. A small
organization that realizes the importance of ISTA, or
5.1 Towards a formal approach to the isn’t requirements driven, may invest and dedicate
Implementation of ISTA activities more resources to implement ISTA in a more formal
manner. Likewise, a large organisation that is
The findings of this study revealed the differences compliance driven may use an ad hoc approach.
between ad-hoc and formal approaches that In terms of the maturity of an organization, most
organizations adopt in the implementation of ISTA organizations start by implementing an ISTA program
activities (Table 2). The findings showed the effect of to comply with standards requirements and then move
adopting one of these approaches on the quality of towards improving their program to eventually build a
ISTA activities in organizations and therefore on the culture of security. The maturity of an organization’s
effectiveness of the ISTA program. ISTA program is influenced by the length of time the
There are two main reasons that organizations organization has implemented ISTA: the longer
adopt a formal or ad-hoc approach for the organization has been conducting ISTA activities,
implementation of ISTA. learning from past-experience of what techniques have
First, ISTA programs are implemented to comply worked and did not work, the more likely the ISTA
with standards and regulatory requirements. program is to be mature. This finding is in line with
Organizations that must comply with standards and Manifavas et al. [34] conclusion that “the maturity of
regulatory requirements (e.g., ISO\IED 27001) are the program can play a significant role in its
required to provide ISTA to communicate information effectiveness; the latter cannot be guaranteed during
security policies. Those organizations that see an ISTA the first years of deployment” (p.259). Additionally,
program as a regulatory compliance requirement, organizations that have a dedicated team managing
rather than a valuable control to increase employees’ ISTA will have more opportunities to improve their
awareness and prevent insider threats, tend to ISTA program and to achieve a high maturity level and
implement ISTA activities using an ad-hoc approach. institutionalized activities. This is because having a
This has a detrimental effect on the quality of activities dedicated team enables the organization to leverage
and therefore the effectiveness of the ISTA program. learning from past-experiences
This finding supports [32]’s argument that complying Identify ISTA program needs is one of the key
with security standards, does not guarantee the quality activities that has been reported by the participants.
of the recommended activities in practice. For The findings of this study provide insight on how this
example, organizations use CBT to gather statistics of practice is conducted in organizations. A formal
who completed the training and how many times they approach to this activity uses various inputs (security
have done it. This helps to fulfil compliance policy, recent risk assessment and incident response
requirements by showing detail on how many, and how reports) to accurately identify the requirements for the
often employees complete training. However, several ISTA program. However, an ad-hoc approach tends to
disadvantages were reported by the respondents such only use the security policy as an input, which may
as the lack of human interaction, low motivation, and lead to the organization’s needs not being met.
limited preference and learning style. More
Page 5091
Table 2. Differences between ad-hoc and formal approaches to the implementation of ISTA activities.
ISTA activities Ad-hoc approach Formal approach
Identify ISTA Only use policy as an input to Use various inputs: policy, incident reports, risk
Program needs identify the needs for ISTA assessment, threat intelligence, users’ feedback, roles
and responsibilities
Develop ISTA Limited planning activity – only Thorough planning activities, covering long term
program plan schedule (strategic) and short term (tactical) aspects of ISTA
Establishing ISTA Security manager doing ISTA plus Have dedicated team 2 to 3 people (internal
program other security responsibilities awareness manager and external awareness manager)
development team
Develop ISTA Use existing material or PowerPoint Using various delivery methods that are tailored to
materials sliders the organization’s needs. Users are not involved
Conduct ISTA Only mandatory security training Have diverse types of ISTA such as intensive
via CBT, occasional awareness awareness campaigns, ISTA for specific for groups
massages. Focus on providing and teams as well as the mandatory. Focus on
knowledge knowledge and motivation.
Evaluating ISTA Depend on statistic from CBT Employ various techniques to measure the
program effectiveness of ISTA program
The differences between an ad-hoc and a formal preferences and the learning style of employees in the
approach can also be seen in the development of an organization. Subsequently, the selection of delivery
ISTA program plan. In the formal approach, the ISTA methods should take into consideration the type of
plan is more formalized and extensive, covering both message and the intended target audience [29].
long term (strategic) and short term (tactical) aspects of The findings of this study show that organizations
ISTA. While in an ad-hoc approach, planning covers a recognize the importance of evaluating their ISTA
few high-level elements such as scheduling of program. The formal approach for ISTA evaluation
activities. uses various methods (see Section 4.4) to measure the
Organizations that adopt an ad-hoc approach do not effectiveness of ISTA and to monitor changes to
have a dedicated team to manage the ISTA program. employee behaviour. However, organizations that
The responsibilities for the ISTA program usually fall adopt an ad-hoc approach depend on training statistics
to the security manager who is also responsible for generated by CBT to track the effectiveness of ISTA.
other information security practices. Organizations that This is done mainly to meet compliance and regulatory
adopt the formal approach have a dedicated team, one requirements, not to measure the effectiveness of the
to three people, usually with no technical background program[36]. That means that in these kinds of
(i.e. communication or change management organizations their ISTA program may not be optimal.
backgrounds) and with a good understanding of the
security issues as well as business processes. Having a 5.2 Developing an effective ISTA program
dedicated team will ensure clear assignment of roles
and responsibilities which is important for the success The study participants provided insights and
of an ISTA program. recommendations on strategies to create an effective
In terms of conducting the ISTA program, ISTA program through focusing on motivating aspects.
organizations that implement an ad-hoc approach only These recommendations include: motivate employees
use computer based training (CBT), whereas in through effectively communicating the purpose of the
organizations using a formal approach, several types of ISTA program, building trust and good relationships
ISTA activities will be conducted. The difference in with stakeholders, engaging stakeholders in managing
the extent of the implementation of conducting ISTA ISTA activity through providing feedback, and relating
can be contributed to the lack of resources and the low the ISTA messages to the employees’ private life. The
awareness of the role of ISTA in protecting the participants also stated that by relating information
organizational information resources in smaller security to the employees’ personal life motivated them
organizations. The literature suggests that to increase about information security. To the best of our
the effectiveness of ISTA, organizations should knowledge, using personal life to motivate has not
implement the program using various methods, not just been reported in the literature.
CBT [35]. The use of many delivery methods increases Several recommendations were also provided by
the effectiveness of ISTA as it considers the the participants to overcome the challenge of
Page 5092
competition with other organization training initiatives how an ISTA program is implemented in different
for employees’ attention. First, organizations should organizational contexts. It identifies two approaches
consider using multiple delivery methods and try to be (ad-hoc and formal) that organizations adopt in the
creative and innovative in the way the organization implementation of ISTA activities and discusses the
delivers their ISTA program. Second, organizations significant impact of each approach on the
should reduce content and increase motivation. Third, effectiveness of ISTA in organizations. Further, three
organizations should focus on employees who deal challenges have been identified: the lack of
with sensitive information and processes. These motivational aspects in current ISTA program, the
recommendations have been reported in the current competition for employees’ attention and the difficulty
literature. However, the findings of this study extend in measuring the effectiveness of ISTA program.
the literature by suggesting that organizations should Several recommendations and suggestions were
look at consolidating training across organizational outlined to overcome these challenges.
functions to reduce the number of training courses and The findings of the study have several practical
to reduce the competition for employee’s attention. For implications. They provide guidance on how ISTA
example, the induction training program for new activities can be implemented in a more formal and
employees should embed basic information security institutionalized approach. The study also provides
training. This requires constant liaison and practitioners with strategies and recommendations to
communication between HR people and the develop an effective ISTA program.
information security personnel who are responsible for The findings provide a sound basis for further
the security awareness and training program. Our empirical work. The next step is to conduct a set of in
suggestion is in line with Puhakainen and Siponen [37] depth case studies within organizations which will
recommendation to integrate the ISTA program with include several data collection techniques (expert
normal business communication of the organization. interviews, documents analysis and observation) to
The findings of this study show that current gain an in-depth understanding of current ISTA
techniques and methods employed in organizations to management practices. This will enable researchers to
measure effectiveness of ISTA can only provide an develop a maturity model which organizations can use
indication, but not a comprehensive assessment, of the as an assessment tool to assess their implementation of
effectiveness of the ISTA program. For example, the ISTA and to identify ways to improve their ISTA
study respondents stated that the number of reports of program.
security incidents around threats addressed in the ISTA
program is used as an indication for the level 7. References
employee’s security awareness. However, the number
of security incident reports does not necessarily reflect [1] Accenture & HfS Research, The State of Cybersecurity
the extent to which the ISTA program is effective in and Digital Trust: Identifying Cybersecurity Gaps to Rethink
imparting an awareness of risk for two reasons. First, State of the Art, in, 2016.
‘incidents’ are variably defined and that not every [2] Crowd Research Partners, Insider Threat Soptlight
event is an incident. Second, increases in incident Report, in, 2017.
reports may occur as a result an increase in the number
or sophistication of attacks. Therefore, it is still [3] P. Balozian, D. Leidner, Review of IS Security Policy
Compliance: Toward the Building Blocks of an IS Security
unknown to organizations how effective their ISTA
Theory, SIGMIS Database, 48 (2017) 11-43.
programs are in changing employee’s behaviour and
how much they should invest on ISTA to be able to get [4] N.N.A. Molok, A. Ahmad, S. Chang, Understanding the
an effective outcome. This is still an elusive goal for factors of information leakage through online social
organizations to achieve. The findings suggest that the networking to safeguard organizational information, in:
Proceedings of the 21st Australasian Conference on
organizations should use a combination of
Information Systems, 2010.
effectiveness checking techniques enable them to
measure the effectiveness of their ISTA program. It is [5] A. Ahmad, R. Bosua, R. Scheepers, Protecting
also recommended that organizations develop their organizational competitive advantage: A knowledge leakage
own success metrics to measure their ISTA program. perspective, Computers & Security, 42 (2014) 27-39.
[6] Australian Cyber Security Centre, 2016 Threat Report, in,
6. Conclusion 2016.
[7] D. De Maeyer, Setting up an Effective Information
This paper has presented an exploratory study of Security Awareness Programme, in: ISSE/SECURE 2007
the implementation of ISTA program in six Securing Electronic Business Processes, Vieweg, 2007, pp.
organizations. The study has provided an account of 49-58.
Page 5093
[8] SANS, Security awareness report: It’s Time to [24] R. Power, D. Forte, Case Study: a bold new approach to
Communicate, in, 2017. awareness and education, and how it met an ignoble fate,
Computer Fraud & Security, 2006 (2006) 7-10.
[9] B. Khan, K. Alghathbar, M. Khan, Information Security
Awareness Campaign: An Alternate Approach, in: T.-h. Kim, [25] T.R. Peltier, Implementing an Information Security
H. Adeli, R. Robles, M. Balitanas (Eds.) Information Awareness Program, EDPACS, 33 (2005) 1-18.
Security and Assurance, Springer Berlin Heidelberg, 2011,
pp. 1-10. [26] J.A. Valentine, Enhancing the employee security
awareness model, Computer Fraud & Security, 2006 (2006)
[10] A. Ahmad, S. Maynard, G. Shanks, A case analysis of 17-19.
information systems and security incident responses,
International Journal of Information Management, (2015). [27] T.R. Peltier, How to build a comprehensive security
awareness program, COMPUT SECUR J, 16 (2000) 23-32.
[11] P.E. Chaudhry, S. Chaudhry, R. Reese, Developing a
model for enterprise Information Systems Security, [28] A.C. Johnston, M. Warkentin, Fear appeals and
Economics, Management and Financial Markets, 7 (2012) information security behaviors: an empirical study, MIS
587-599. quarterly, (2010) 549-566.
[12] E. Kritzinger, E. Smith, Information security [29] J. Abawajy, User preference of cyber security awareness
management: An information security retrieval and delivery methods, Behaviour & Information Technology, 33
awareness model for industry, Computers & Security, 27 (2014) 237-248.
(2008) 224-231. [30] PCI, Information Supplement: Best Practices for
[13] M. Alshaikh, A. Ahmad, S. Maynard, S. Chang, Implementing a Security Awareness Program, in, Security
Towards a Taxonomy of Information Security Management Awareness Program Special Interest Group PCI Security
Practices in Organisations, in: 25th Australasian Conference Standards Council, 2014.
on Information Systems, Auckland, New Zealand, 2014. [31] A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis,
[14] P. Shedden, A. Ahmad, A. Ruighaver, Organisational Managing the introduction of information security awareness
learning and incident response: promoting effective learning programmes in organisations, European Journal of
through the incident response process, (2010). Information Systems, 24 (2015) 38-58.
[15] ISO/IEC, ISO/IEC 27002 Interntional Standard: [32] M. Siponen, R. Willison, Information security
Information technology - Security Techniques- Code of management standards: Problems and solutions, Information
practice for information security controls, in, 2013. & Management, 46 (2009) 267-270.
[16] A. Ahmad, S. Maynard, Teaching information security [33] W.L. Neuman, Social research methods: Qualitative and
management: reflections and experiences, Information quantitative approaches, Sixth ed., 2006.
Management & Computer Security, 22 (2014) 513-536. [34] C. Manifavas, K. Fysarakis, K. Rantos, G. Hatzivasilis,
[17] M.E. Whitman, H.J. Mattord, Management of DSAPE – Dynamic Security Awareness Program Evaluation,
information security, 2nd ed., Thomson Course Technology, in: T. Tryfonas, I. Askoxylakis (Eds.) Human Aspects of
Boston, Mass., 2008. Information Security, Privacy, and Trust, Springer
International Publishing, 2014, pp. 258-269.
[18] M. Wilson, J. Hash, Building an information technology
security awareness and training program, in: NIST Special [35] E.B. Kim, Recommendations for information security
publication, 2003, pp. 50. awareness training for college students, Information
Management & Computer Security, 22 (2014) 115-126.
[19] G. Öğütçü, Ö.M. Testik, O. Chouseinoglou, Analysis of
personal information security behavior and awareness, [36] T. Tan, A. Ruighaver, A. Ahmad, Information Security
Computers & Security, 56 (2016) 83-93. Governance: When Compliance Becomes More Important
than Security, in: K. Rannenberg, V. Varadharajan, C. Weber
[20] J. D’Arcy, A. Hovav, D. Galletta, User Awareness of (Eds.) Security and Privacy – Silver Linings in the Cloud,
Security Countermeasures and Its Impact on Information Springer Berlin Heidelberg, 2010, pp. 55-67.
Systems Misuse: A Deterrence Approach, Information
Systems Research, 20 (2009) 79-98. [37] P. Puhakainen, M. Siponen, Improving employees'
compliance through information systems security training: an
[21] M. Karjalainen, M. Siponen, Toward a New Meta- action research study, Mis Quarterly, 34 (2010) 757-778.
Theory for Designing Information Systems (IS) Security
Training Approaches, Journal of the Association for
Information Systems, 12 (2011) 518-555.
[22] R. Herold, Managing an information security and
privacy awareness and training program, CRC press, 2010.
[23] P. Bowen, J. Hash, M. Wilson, SP 800-100. Information
Security Handbook: A Guide for Managers, in, 2006.
Page 5094