Prevention is better than cure!:designing information security awareness programs to overcome users’ non-compliance with information security policies in banks

In organizations, users’ compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users’ compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers’ efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users’ perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users’ ISP compliance

Prevention is better than cure!:designing information security awareness programs to overcome users’ non-compliance with information security policies in banks

In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance

Determinants that affect information security awareness and behavior: A systematic literature review

In today’s digital age, it is crucial for all organizations to manage their information systems security. This makes them potentially endangered by actions of employees and users. So there is a need of investing more on security related issues; one of them is giving attention for the human i.e. the social aspect of security. This paper critically analysis the different literatures using a systematic literature review technique using PRISMA search protocol concerning the determinants which most affect information security awareness and behavior. The information security training or education has given more emphasis than behavior and attitude. Then after identifying those determinants, it filters out the areas further study is needed which includes information security knowledge and care. It is determined that employee information security awareness and conduct are highly influenced by information security training, attitude, and behavior. Due to the choice of search criteria and/or databases, some pertinent papers may not have been included in this literature review so as to the study focus on developing nations. The factors that affect employees\u27 information security tasks and initiatives must be determined for future stud

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

A Conventionalist Perspective On Information Security Policies in Organisations

Concern for information security is a major driver for policy implementation, and with new reg-ulations like the General Data Protection Regulation, almost all types of organisations face the challenge of implementing and applying information security policies. Information security standards guide these processes, but the challenge of ensuring compliance is still a major issue, despite extensive information security research in this aspect. The lack of versatility in theoreti-cal approaches led to calls for sociological approaches to contribute to the literature, but they were only partly addressed. The proposed framework of convention theory can serve as a fruit-ful approach, providing a pragmatic and contextualized perspective and a strong theoretical foundation from sociology. By adopting a conventionalist view of information security policies, attention is focused on issues of legitimacy without limiting the analysis to a solely structuralist perspective. This research in progress tries to take first steps in building a conventionalist framework for case-based research by introducing some of the main concepts of convention theory and illustrates possible implications for information security research and practice

ARE YOU AWARE OF YOUR COMPETENCIES? – THE POTENTIALS OF COMPETENCE RESEARCH TO DESIGN EFFECTIVE SETA PROGRAMS

Since the late 1990s, security education training and awareness (SETA) programs have become commonplace. Despite extensive research into the effective design of such programs and factors influencing compliance behavior, SETA programs tend not to be as effective as they should be. In order to tailor learning content as closely as possible to individual needs, vocational education relies on the modeling and measurement of competencies. We argue that this existing knowledge can be transferred to the information security domain. Therefore, we introduce a competence model from vocational education and consider it in the context of the information security domain. Subsequently, we conduct a structured literature review on conceptualization and effective SETA design and investigate to what extent the competence dimensions from vocational education are already considered in the SETA literature. Our results indicate that competence research can make an important contribution to adapting SETA programs to individual situational actions

From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program

There is a growing recognition of the need for a transformation from organizational security awareness programs focused on compliance -- measured by training completion rates -- to those resulting in behavior change. However, few prior studies have begun to unpack the organizational practices of the security awareness teams tasked with executing program transformation. We conducted a year-long case study of a security awareness program in a United States (U.S.) government agency, collecting data via field observations, interviews, and documents. Our findings reveal the challenges and practices involved in the progression of a security awareness program from being compliance-focused to emphasizing impact on workforce attitudes and behaviors. We uniquely capture transformational organizational security awareness practices in action via a longitudinal study involving multiple workforce perspectives. Our study insights can serve as a resource for other security awareness programs and workforce development initiatives aimed at better defining the security awareness work role