Skip to main content
Log in

From awareness to influence: toward a model for improving employees’ security behaviour

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

This paper argues that a conventional approach to cybersecurity awareness is not effective in influencing employees and creating sustainable behaviour change. The increase in security incidents caused by employees is evidence that providing information to raise employees’ awareness does not necessarily result in improving their security behaviour, and organisations must transform their security awareness program to extend beyond awareness to influence and behaviour change. This paper presents an in-depth case study of Telstra a leading Australian telecommunication company with a well-resourced and mature cybersecurity influence program that evolved as a result of experience throughout the years. The paper adopts the psychological attachment theory to explain strategies (e.g. cybersecurity champion) implemented by Telstra influence team to influence employees to improve their security-related behaviour. The contribution of this paper represents the first step for a comprehensive practice-based guidance for organisations on how to transform their cybersecurity beyond awareness to influence behavioural change. This paper is based on both academic and industrial perspectives, and it provides a sound basis for future empirical work.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. Link to the video: https://vimeo.com/247734715/390e353da0

  2. https://www.telstra.com.au/content/dam/tcom/business-enterprise/campaigns/pdf/idc-infobrief-final-5-knows-of-cyber-security.pdf

References

  1. Office of the Australian Information Commissioner (2019) Notifiable data breaches quarterly statistics report. Retrieved from https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/. Accessed 03 Sep 2020

  2. Borys S (2019) Inside a massive cyber hack that risks compromising leaders across the globe. Australian Broadcasting Corporation News. Retrieved from https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578?nw=0. Accessed 03 Sep 2020

  3. Carpenter P (2019) Transformational security awareness: What neuroscientists, storytellers, and marketers can teach us about driving secure behaviors: John Wiley & Sons

  4. Beyer M, Ahmed S, Doerlemann K, Arnell S, Parkin S, Sasse M, Passingham N (2015) Awareness is only the first step: A framework for progressive engagement of staff in cyber security, Hewlett Packard, Busine. Retrieved from https://www.riscs.org.uk/wp-content/uploads/2015/12/Awareness-is-Only-the-First-Step.pdf. Accessed 03 Sep 2020

  5. Alshaikh M, Naseer H, Ahmad A, Maynard SB (2019) Toward sustainable behaviour change: an approach for cyber security education training and awareness. In: In Proceedings of the 27th European Conference on Information Systems (ECIS), Stockholm & Uppsala, Sweden

  6. Bada M, Sasse AM, Nurse JR (2019) Cyber security awareness campaigns: why do they fail to change behaviour? arXiv preprint arXiv:190102672

  7. SANS (2019) The rising era of awareness training. Retrieved from https://www.knowbe4.com/hubfs/SANS-Security-Awareness-Report-2019.pdf. Accessed 03 Sep 2020

  8. NTT Security (2019) Global threat intelligence report. Retrieved from https://www.nttsecurity.com/docs/librariesprovider3/resources/2019-gtir/2019_gtir_report_2019_uea_v2.pdf. Accessed 03 Sep 2020

  9. Kelly MP, Barker M (2016) Why is changing health-related behaviour so difficult? Public Health 136:109–116

    Article  Google Scholar 

  10. Cram WA, D’Arcy J, Proudfoot JG (2019) Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Q 43(2):525–554. https://doi.org/10.25300/MISQ/2019/15117

    Article  Google Scholar 

  11. Fertig T, Schütz AE, Weber K (2020) Current issues of metrics for information security awareness. In: In Proceedings of the 28th European Conference on Information Systems (ECIS), An Online AIS Conference

  12. Alshaikh M, Maynard SB, Ahmad A, Chang S (2018) An exploratory study of current information security training and awareness practices in organizations. Paper presented at the Proceedingsofthe51st Hawaii International Conference on System Sciences, Hawaii, US

  13. Information Security Forum (ISF). (2014). From Promoting Awareness to Embedding Behaviours. Retrieved from https://www.securityforum.org/uploads/2015/03/From-Promoting-Awareness-ES-2014_Marketing.pdf. Accessed 03 Sep 2020

  14. Park M, Chai S (2018) Internalization of information security policy and information security practice: a comparison with compliance. In: Proceedings of the 51st Hawaii International Conference on System Sciences

  15. Alshaikh M (2020) Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security 98:102003. https://doi.org/10.1016/j.cose.2020.102003

  16. Alshaikh M, Maynard SB, Ahmad A (2021) Applying social marketing to evaluate current security education training and awareness programs in organisations. Computers & Security 100:102090. https://doi.org/10.1016/j.cose.2020.102090

  17. Alshaikh M, Maynard SB, Ahmad A (2020) Security education, training, and awareness: Incorporating a social marketing approach for behavioural change. In: Venter H, Loock M, Coetzee M, Eloff M, Eloff J, Botha R. (eds) Information and Cyber Security, ISSA. Communications in Computer and Information Science, vol 1339. Springer, Cham. https://doi.org/10.1007/978-3-030-66039-0_6

  18. Kelman HC (1958) Compliance, identification, and internalization: three processes of attitude change. J Confl Resolut 2(1):51–60

    Article  Google Scholar 

  19. Straub DW Jr (1990) Effective IS security: an empirical study. Inf Syst Res 1(3):255–276

    Article  Google Scholar 

  20. D’Arcy J, Hovav A, Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf Syst Res 20(1):79–98

    Article  Google Scholar 

  21. Siponen M, Vance A (2010) Neutralization: new insights into the problem of employee information systems security policy violations. MIS Q 34:487–502

    Article  Google Scholar 

  22. Willison R, Warkentin M, Johnston AC (2018) Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives. Inf Syst J 28(2):266–293. https://doi.org/10.1111/isj.12129

    Article  Google Scholar 

  23. Guo KH, Yuan Y, Archer NP, Connelly CE (2011) Understanding nonmalicious security violations in the workplace: a composite behavior model. J Manag Inf Syst 28(2):203–236. https://doi.org/10.2753/MIS0742-1222280208

    Article  Google Scholar 

  24. Lebek B, Uffen J, Breitner MH, Neumann M, Hohler B (2013) Employees’ information security awareness and behavior: a literature review. In: System Sciences (HICSS), 2013 46th Hawaii International Conference on, 7-10 Jan. 2013. pp 2978-2987. https://doi.org/10.1109/hicss.2013.192

  25. Rosemann M, Vessey I (2008) Toward improving the relevance of information systems research to practice: the role of applicability checks. MIS Q 32(1):1–22. https://doi.org/10.2307/25148826

    Article  Google Scholar 

  26. Puhakainen P, Siponen M (2010) Improving employees’ compliance through information systems security training: an action research study. MIS Q 34(4):757–778

    Article  Google Scholar 

  27. Karjalainen M, Siponen M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. J Assoc Inf Syst 12(8):518–555

    Google Scholar 

  28. Lu Z, Cui T, Tong Y, Wang W (2020) Examining the effects of social influence in pre-adoption phase and initial post-adoption phase in the healthcare context. Inf Manag 57(3):103195

    Article  Google Scholar 

  29. Padgett DK (2016) Qualitative methods in social work research, vol 36. Sage publications

  30. Gaya H, Smith E (2016) Developing a qualitative single case study in the strategic management realm: an appropriate research design. Int J Bus Manag Econ Res 7(2):529–538

    Google Scholar 

  31. Yin RK (2017) Case study research and applications: design and methods. Sage publications

  32. Beautement A, Becker I, Parkin S, Krol K, Sasse A (2016) Productive security: A scalable methodology for analysing employee security behaviours. Paper presented at the Twelfth Symposium on Usable Privacy and Security, Denver, CO

  33. Sasse A (2015) Scaring and bullying people into security won’t work. IEEE Secur Privacy 13(3):80–83. https://doi.org/10.1109/MSP.2015.65

    Article  Google Scholar 

  34. Boss SR, Kirsch LJ, Angermeier I, Shingler RA, Boss RW (2009) If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur J Inf Syst 18(2):151–164

    Article  Google Scholar 

  35. SANS (2018) Security awareness report: Building successful security awareness programs. Retrieved from https://www.sans.org/security-awareness-training/reports/2018-security-awareness-report. Accessed 03 Sep 2020

  36. de Bruijn H, Janssen M (2017) Building cybersecurity awareness: the need for evidence-based framing strategies. Gov Inf Q 34(1):1–7. https://doi.org/10.1016/j.giq.2017.02.007

    Article  Google Scholar 

  37. Pfleeger SL, Sasse MA, Furnham A (2014) From weakest link to security hero: transforming staff security behavior. J Homeland Secur Emerg Manag 11(4):489–510

    Article  Google Scholar 

  38. ENISA (2017) Cyber security culture in organisations. Retrieved from https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations. Accessed 03 Sep 2020

  39. Krebs on Security (2018) Half of all phishing sites now have the padlock. Retrieved from https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/comment-page-1/. Accessed 03 Sep 2020

Download references

Acknowledgments

We would like to thank the cyber influence team for sharing their experience and providing feedback and comments on the manuscript.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Moneer Alshaikh.

Ethics declarations

Conflict of interest

The authors declare no competing interests.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alshaikh, M., Adamson, B. From awareness to influence: toward a model for improving employees’ security behaviour. Pers Ubiquit Comput 25, 829–841 (2021). https://doi.org/10.1007/s00779-021-01551-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-021-01551-2

Keywords

Navigation