Applying social marketing to evaluate current security education training and awareness programs in organisations
Introduction
Security researchers consistently argue that organisations need information security education, training, and awareness (SETA) programs to raise employees’ awareness of security risk, and to provide them with the required skills and knowledge to comply with security policy (Alshaikh 2020; Cram et al., 2019; Karjalainen et al., 2019). Despite the widespread implementation of such programs in many organisations, the rate of unintended breaches of security directives is still increasing. A recent report shows that 70% of security incidents are caused by employee noncompliance with organisational information security directives (NTT Security, 2019). This trend is consistent with previous security reports (e.g., Accenture and HfS Research, 2016; SANS, 2017) and academic literature (e.g., Almestahiri et al., 2017; Chatterjee et al., 2015; Crossler et al., 2013; Guo et al., 2011; Warkentin and Willison, 2009).
When developing SETA programs, organisations turn to “best practice” and industry standards. However, it remains unclear as to which SETA strategies are effective in specific contexts (Almestahiri et al., 2017; Beyer et al., 2015; Ki-Aries and Faily, 2017; Warkentin and Willison, 2009). As the literature points out, an underlying reason is that the standards and guidelines are neither grounded in theory nor on empirical evidence (Alshaikh et al., 2019; Jampen et al., 2020; Ng et al., 2009; Park and Chai, 2018; Siponen and Willison, 2009). Further, existing SETA programs aim to improve employee knowledge acquisition rather than behaviour and belief. Therefore, for organisations there is little clarity on how to increase the effectiveness of SETA programs to alter employee behaviour.
While there is considerable research on SETA conducted in the information systems security behaviour field (Guo et al., 2011; Puhakainen and Siponen, 2010; Sharma and Warkentin, 2019; Siponen and Vance, 2010; Willison and Warkentin, 2013; Willison et al., 2018), these studies approach the problem from an individual behaviour perspective instead of focusing at an organisational level. Within these studies, several theories (e.g., deterrence theory, neutralisation theory and protection motivation theory) have been applied to explain noncompliance with security policies (D'Arcy and Herath ,2011; Hanus and Wu, 2016; Siponen and Vance, 2010). However, the literature does not provide strategies and approaches to assist organisations in developing an effective SETA program to change employee behaviour (Alshaikh et al., 2019).
In this paper, we explore social marketing as an approach for developing more effective SETA programs. Our justification is that social marketing has been successfully used in the past to improve the effectiveness of behaviour change programs in other domains (Almestahiri et al., 2017; Tapp and Rundle-Thiele, 2016). Therefore, the aim of this paper is to use social marketing approaches to: (1) assess the effectiveness of the development process of existing SETA programs; and (2) propose a novel SETA development process. The study addresses the following research question:
How can organisations develop effective SETA programs to achieve behaviour change?
The paper is organized as follows. In our background section, we present best-practice industry guidelines on SETA; followed by introducing the social marketing approach to behaviour change. Subsequently, we explain the research methodology employed in this research. We then report the findings of the exploratory study where we map key social marketing principles to SETA practices in the six organisations under investigation. Next, we propose a new approach for the SETA development process based on social marketing. Finally, we conclude with implications of the research and direction for future work.
Section snippets
Background
In this section, we introduce background research on SETA and Social Marketing.
Research methodology
To answer the research question we use a qualitative, exploratory research approach to gain a rich picture of the research phenomenon (Stebbins, 2001). Qualitative methods allow us to develop a rich picture of the relevant phenomena and allows us to investigate aspects of the phenomena that may not be obvious at the outset of the research project (Boudreau and Robey, 2005; Eisenhardt, 1989; Klein and Myers, 1999; Yin, 2018). The empirical data in the paper comes from six semi-structured
Findings and discussion
The following sections present our findings and discussion using the social marketing lens.
A social marketing SETA development process
The process for developing a strategic social marketing plan is outlined in detail in Lee and Kotler (2015). As shown in Fig. 2, the process consists of ten steps divided into five key phases: scoping, selecting, understanding, designing, and managing. The five phases are described below with examples from the information security context to demonstrate to how these phases can be applied to the domain.
The process is a logical step-by-step approach, from scoping through to managing, giving a
Discussion
In this section, we map stages of the proposed SETA development process to social marketing principles to show how the proposed model addresses gaps in existing SETA approaches. Further, we discuss how the proposed model, when compared to existing approaches, can provide comprehensive and systematic guidance to develop an effective SETA program.
The proposed SETA development process can address the gaps in existing SETA programs identified as shown in Table 4. In the scoping phase of the
Conclusion, contributions and future work
This paper investigates the use of the social marketing approach in SETA. Our review of the literature shows that there is little evidence that the social marketing approach has been applied for SETA development, even though it has been used in other domains to effectively change behaviour. To further investigate this in practice, we undertook six expert interviews with experienced practitioners in the SETA field. These expert interviews reveal that despite awareness training, by definition,
CRediT authorship contribution statement
Moneer Alshaikh: Conceptualization, Investigation, Methodology, Writing - original draft. Sean B. Maynard: Supervision, Visualization, Writing - review & editing. Atif Ahmad: Supervision, Visualization, Writing - review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Dr Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Dr Moneer worked as a research fellow in cyber security at The Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a certified Information Security
References (76)
Developing cybersecurity culture to influence employee behavior: a practice perspective
Comput. Secur.
(2020)- et al.
Future directions for behavioral information security research
Comput. Secur.
(2013) - et al.
Persona-centred information security awareness
Comput. Secur.
(2017) - et al.
Information security management: an information security retrieval and awareness model for industry
Comput. Secur.
(2008) - et al.
Studying users’ computer security behavior: a health belief perspective
Decis. Support Syst.
(2009) - et al.
Analysis of personal information security behavior and awareness
Comput. Secur.
(2016) - et al.
Case study: a bold new approach to awareness and education, and how it met an Ignoble fate
Comput. Fraud Secur.
(2006) - et al.
Do i really belong?: Impact of employment status on information security policy compliance
Comput. Secur.
(2019) - et al.
Information security management standards: problems and solutions
Inf. Manage.
(2009) User preference of cyber security awareness delivery methods
Behav. Inf. Technol.
(2014)
How integration of cyber security management and incident response enables organizational learning
J. Assoc. Inf. Sci. Technol.
The use of the major components of social marketing: a systematic review of tobacco cessation programs
Soc. Mar. Q.
Towards a taxonomy of information security management practices in organisations
An exploratory study of current information security training and awareness practices in organizations
Toward sustainable behaviour change: an approach for cyber security education training and awareness
Marketing social marketing in the social change marketplace
J. Public Policy Mark.
Can we sell security like soap?: a new approach to behaviour change
Enacting integrated information technology: a human agency perspective
Organ. Sci.
Sp 800-100. Information Security Handbook: a Guide for Managers
Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors
The behavioral roots of information systems security: exploring key factors related to unethical it use
J. Manage. Inf. Syst.
Developing a model for enterprise information systems security
Econ. Manage. Financ. Mark.
Basics of Qualitative Research
Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance
MIS Q.
A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings
Eur. J. Inf. Syst.
User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach
Inf. Syst. Res.
Setting up an effective information security awareness programme
Building theories from case study research
Acad. Manage. Rev.
Current issues of metrics for information security awareness
Social Marketing Pocket Guide
Social Marketing and Public Health: Theory and Practice
Social Marketing Casebook
Theory At a Glance: A Guide For Health Promotion Practice
Cited by (15)
A systematic review of current cybersecurity training methods
2024, Computers and SecurityInformation security ignorance: An exploration of the concept and its antecedents
2023, Information and ManagementIdentifying information security opinion leaders in organizations: Insights from the theory of social power bases and social network analysis
2022, Computers and SecurityCitation Excerpt :Kim et al. (2019) studied the moderating effect of InfoSec leaders’ perceived legitimacy on the direct impact of InfoSec awareness programs on the employees’ InfoSec compliance. More recent studies have recommended appointing InfoSec champions in organizations to improve organizational InfoSec (Alshaikh, 2020; Alshaikh et al., 2021; Alshaikh and Adamson, 2021; Uchendu et al., 2021). While there are many definitions of leadership, the concept can be defined as the process which involves an individual influencing other individuals to achieve some common goals (Northouse, 2018).
Critical success factors for Security Education, Training and Awareness (SETA) programme effectiveness: an empirical comparison of practitioner perspectives
2024, Information and Computer Security
Dr Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Dr Moneer worked as a research fellow in cyber security at The Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a certified Information Security Manager and ISO/IEC 27001 Implementer. His research interests include information security management, security awareness, and security behaviour change.
Sean B. Maynard is an academic in the School of Computing and Information Systems, University of Melbourne, Australia. He has over 25 years of teaching experience at the undergraduate, postgraduate and executive training levels. His research interests are in the management of information security specifically relating to security policy, security culture, security governance, security strategy, security analytics, and incident response. His research has been published in high-impact journals such as Computers & Security and the International Journal of Information Management as well as leading conferences such as the International Conference on Information Systems. For more information, please visit https://www.seanmaynard.me/.
Atif Ahmad is an Associate Professor at the University of Melbourne where he serves as Deputy Director for the Academic Centre of Cyber Security Excellence. Atif leads a unique team of Cybersecurity Management researchers drawn from information systems, business administration, security intelligence, and information warfare. He has authored over 90 scholarly articles in cybersecurity management and received over AUD$3.9 M in grant funding. Atif is an Associate Editor for the leading IT security journal, Computers & Security. Atif has previously served as a cybersecurity consultant for WorleyParsons, Pinkerton and SinclairKnightMerz. He is a Certified Protection Professional with the American Society for Industrial Security. For more information, please visit https://www.atifahmad.me/.