Abstract
Effective information security education, training, and awareness (SETA) is essential for protecting organisational information resources. Although many organisations invest significantly in SETA, incidents resulting from employee noncompliance are still increasing. We argue that this may indicate that current SETA programs are sub-optimal in improving security compliance behaviour among employees, as they lack sufficient grounding in theory. This study proposes a new process for SETA development based on the social marketing approach. The proposed process involves selecting specific behaviour, developing a deeper understanding of the target audience, and using theory-informed intervention strategies for changing behaviour. The SETA development process provides a sound basis for future empirical work that will include focus groups and action research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
NTT Security: Global Threat Intelligence Report. NTT Security (2019). https://www.nttsecurity.com/docs/librariesprovider3/resources/2019-gtir/2019_gtir_report_2019_uea_v2.pdf
Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organisations. Eur. J. Inf. Syst. 24, 38–58 (2015)
Posey, C., Roberts, T.L., Lowry, P.B.: The impact of organizational commitment on insiders’ motivation to protect organizational information assets. J. Manag. Inf. Syst. 32, 179–214 (2015)
Alshaikh, M., Maynard, S.B., Ahmad, A., Chang, S.: An exploratory study of current information security training and awareness practices in organizations. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 5085–5094 (2018)
Siponen, M., Willison, R.: Information security management standards: problems and solutions. Inf. Manag. 46, 267–270 (2009)
Öğütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)
Lee, N.R., Kotler, P.: Social Marketing: Changing Behaviors for Good. Sage Publications, Thousand Oaks (2015)
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20, 79–98 (2009)
Whitman, M.E., Mattord, H.J.: Management of Information Security. Thomson Course Technology, Boston (2008)
Karjalainen, M., Siponen, M.: Toward a new meta-theory for designing information systems (IS) security training approaches. J. Assoc. Inf. Syst. 12, 518–555 (2011)
Scrimgeour, J.-M., Ophoff, J.: Lessons learned from an organizational information security awareness campaign. In: Drevin, L., Theocharidou, M. (eds.) WISE 2019. IAICT, vol. 557, pp. 129–142. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23451-5_10
Poepjes, R.: The development and evaluation of an information security awareness capability model: linking ISO/IEC 27002 controls with awareness importance, capability and risk. University of Southern Queensland (2015)
Kajzer, M., D’Arcy, J., Crowell, C.R., Striegel, A., Van Bruggen, D.: An exploratory investigation of message-person congruence in information security awareness campaigns. Comput. Secur. 43, 64–76 (2014)
Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49, 190–198 (2012)
Al-Omari, A., El-Gayar, O., Deokar, A.: Information security policy compliance: the role of information security awareness. In: Americas Conference on Information Systems (AMCIS) (2012)
Puhakainen, P., Siponen, M.: Improving employees’ compliance through information systems security training: an action research study. MIS Q. 34, 757–778 (2010)
Cram, W.A., D’arcy, J., Proudfoot, J.G.: Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Q. 43, 525–554 (2019)
French, J., Merritt, R., Reynolds, L.: Social Marketing Casebook. Sage, Thousand Oaks (2011)
McKenzie-Mohr, D.: Fostering Sustainable Behavior: An Introduction to Community-Based Social Marketing. New Society Publishers, Gabriola (2011)
French, J., Blair-Stevens, C.: Social Marketing Pocket Guide (2005)
French, J., Blair-Stevens, C., McVey, D., Merritt, R.: Social Marketing and Public Health: Theory and Practice. Oxford University Press, Oxford (2010)
Spitzner, L.: Defining the Security Awareness Maturity Model. Security Awareness, vol. 2019. SANS (2016)
Alshaikh, M., Naseer, H., Ahmad, A., Maynard, S.B.: Toward sustainable behaviour change: an approach for cyber security education training and awareness. In: European Conference on Information Systems, p. 15 (2019)
Michie, S., Atkins, L., West, R.: The Behavior Change Wheel: A Guide to Designing Interventions. Silverback Publishing, Great Britain (2014)
Glanz, K., Rimer, B.K.: Theory at a glance: a guide for health promotion practice. US Department of Health and Human Services, Public Health Service (1997)
Sowers, W., French, J., Blair-Stevens, C.: Lessons learned from social marketing models in the United Kingdom. Soc. Mark. Q. 13, 58–62 (2007)
Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33, 237–248 (2014)
Grier, S., Bryant, C.A.: Social marketing in public health. Ann. Rev. Public Health 26, 319–339 (2005)
Office of the Australian Information Commissioner: Notifiable Data Breaches Quarterly Statistics Report (2019). https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Alshaikh, M., Maynard, S.B., Ahmad, A. (2020). Security Education, Training, and Awareness: Incorporating a Social Marketing Approach for Behavioural Change. In: Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J., Botha, R. (eds) Information and Cyber Security. ISSA 2020. Communications in Computer and Information Science, vol 1339. Springer, Cham. https://doi.org/10.1007/978-3-030-66039-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-66039-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-66038-3
Online ISBN: 978-3-030-66039-0
eBook Packages: Computer ScienceComputer Science (R0)