Training Decrement in Security Awareness Training

This study determines if there is a decremental effect following IT security awareness training. In most security policy compliance literature, the main focus has been on policy design. Studies that address security awareness training are seldom theory driven and even fewer are empirically based. To fill this gap, we draw from the theory of vigilance decrement as well as forgetting curves in psychology, and propose a classroom experiment showing that participants\u27 IT security awareness decreases over a 45-day period since the training at day one. The result adds to the security policy compliance literature and suggests that some policy violations are due to the decrement in vigilance and security knowledge. The practical implications are that companies need to train their employees repeatedly overtime in order to maintain a high level of IT security policy compliance