Elsevier

Computers & Security

Volume 100, January 2021, 102090
Computers & Security

Applying social marketing to evaluate current security education training and awareness programs in organisations

https://doi.org/10.1016/j.cose.2020.102090Get rights and content

Abstract

The effectiveness of cybersecurity management programs is contingent on improving employee security behaviour. Security education, training, and awareness (SETA) programs aim to drive positive behaviour change in support of cybersecurity objectives. In this paper, we argue that existing SETA programs are suboptimal as they aim to improve employee knowledge acquisition rather than behaviour and belief. We apply social marketing principles to examine SETA practices across six organisations. We find that SETA programs fail to implement the key principles and concepts of social marketing that are essential for positive behaviour change. We therefore propose a novel development process for SETA based on a social marketing approach. We explain how the new approach can be used to develop SETA programs that are focused on behaviour change.

Introduction

Security researchers consistently argue that organisations need information security education, training, and awareness (SETA) programs to raise employees’ awareness of security risk, and to provide them with the required skills and knowledge to comply with security policy (Alshaikh 2020; Cram et al., 2019; Karjalainen et al., 2019). Despite the widespread implementation of such programs in many organisations, the rate of unintended breaches of security directives is still increasing. A recent report shows that 70% of security incidents are caused by employee noncompliance with organisational information security directives (NTT Security, 2019). This trend is consistent with previous security reports (e.g., Accenture and HfS Research, 2016; SANS, 2017) and academic literature (e.g., Almestahiri et al., 2017; Chatterjee et al., 2015; Crossler et al., 2013; Guo et al., 2011; Warkentin and Willison, 2009).

When developing SETA programs, organisations turn to “best practice” and industry standards. However, it remains unclear as to which SETA strategies are effective in specific contexts (Almestahiri et al., 2017; Beyer et al., 2015; Ki-Aries and Faily, 2017; Warkentin and Willison, 2009). As the literature points out, an underlying reason is that the standards and guidelines are neither grounded in theory nor on empirical evidence (Alshaikh et al., 2019; Jampen et al., 2020; Ng et al., 2009; Park and Chai, 2018; Siponen and Willison, 2009). Further, existing SETA programs aim to improve employee knowledge acquisition rather than behaviour and belief. Therefore, for organisations there is little clarity on how to increase the effectiveness of SETA programs to alter employee behaviour.

While there is considerable research on SETA conducted in the information systems security behaviour field (Guo et al., 2011; Puhakainen and Siponen, 2010; Sharma and Warkentin, 2019; Siponen and Vance, 2010; Willison and Warkentin, 2013; Willison et al., 2018), these studies approach the problem from an individual behaviour perspective instead of focusing at an organisational level. Within these studies, several theories (e.g., deterrence theory, neutralisation theory and protection motivation theory) have been applied to explain noncompliance with security policies (D'Arcy and Herath ,2011; Hanus and Wu, 2016; Siponen and Vance, 2010). However, the literature does not provide strategies and approaches to assist organisations in developing an effective SETA program to change employee behaviour (Alshaikh et al., 2019).

In this paper, we explore social marketing as an approach for developing more effective SETA programs. Our justification is that social marketing has been successfully used in the past to improve the effectiveness of behaviour change programs in other domains (Almestahiri et al., 2017; Tapp and Rundle-Thiele, 2016). Therefore, the aim of this paper is to use social marketing approaches to: (1) assess the effectiveness of the development process of existing SETA programs; and (2) propose a novel SETA development process. The study addresses the following research question:

How can organisations develop effective SETA programs to achieve behaviour change?

The paper is organized as follows. In our background section, we present best-practice industry guidelines on SETA; followed by introducing the social marketing approach to behaviour change. Subsequently, we explain the research methodology employed in this research. We then report the findings of the exploratory study where we map key social marketing principles to SETA practices in the six organisations under investigation. Next, we propose a new approach for the SETA development process based on social marketing. Finally, we conclude with implications of the research and direction for future work.

Section snippets

Background

In this section, we introduce background research on SETA and Social Marketing.

Research methodology

To answer the research question we use a qualitative, exploratory research approach to gain a rich picture of the research phenomenon (Stebbins, 2001). Qualitative methods allow us to develop a rich picture of the relevant phenomena and allows us to investigate aspects of the phenomena that may not be obvious at the outset of the research project (Boudreau and Robey, 2005; Eisenhardt, 1989; Klein and Myers, 1999; Yin, 2018). The empirical data in the paper comes from six semi-structured

Findings and discussion

The following sections present our findings and discussion using the social marketing lens.

A social marketing SETA development process

The process for developing a strategic social marketing plan is outlined in detail in Lee and Kotler (2015). As shown in Fig. 2, the process consists of ten steps divided into five key phases: scoping, selecting, understanding, designing, and managing. The five phases are described below with examples from the information security context to demonstrate to how these phases can be applied to the domain.

The process is a logical step-by-step approach, from scoping through to managing, giving a

Discussion

In this section, we map stages of the proposed SETA development process to social marketing principles to show how the proposed model addresses gaps in existing SETA approaches. Further, we discuss how the proposed model, when compared to existing approaches, can provide comprehensive and systematic guidance to develop an effective SETA program.

The proposed SETA development process can address the gaps in existing SETA programs identified as shown in Table 4. In the scoping phase of the

Conclusion, contributions and future work

This paper investigates the use of the social marketing approach in SETA. Our review of the literature shows that there is little evidence that the social marketing approach has been applied for SETA development, even though it has been used in other domains to effectively change behaviour. To further investigate this in practice, we undertook six expert interviews with experienced practitioners in the SETA field. These expert interviews reveal that despite awareness training, by definition,

CRediT authorship contribution statement

Moneer Alshaikh: Conceptualization, Investigation, Methodology, Writing - original draft. Sean B. Maynard: Supervision, Visualization, Writing - review & editing. Atif Ahmad: Supervision, Visualization, Writing - review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Dr Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Dr Moneer worked as a research fellow in cyber security at The Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a certified Information Security

References (76)

  • Accenture & HfS Research. 2016. "The state of cybersecurity and digital trust: identifying cybersecurity gaps to...
  • A. Ahmad et al.

    How integration of cyber security management and incident response enables organizational learning

    J. Assoc. Inf. Sci. Technol.

    (2020)
  • R.d. Almestahiri et al.

    The use of the major components of social marketing: a systematic review of tobacco cessation programs

    Soc. Mar. Q.

    (2017)
  • M. Alshaikh et al.

    Towards a taxonomy of information security management practices in organisations

  • M. Alshaikh et al.

    An exploratory study of current information security training and awareness practices in organizations

  • M. Alshaikh et al.

    Toward sustainable behaviour change: an approach for cyber security education training and awareness

  • A.R. Andreasen

    Marketing social marketing in the social change marketplace

    J. Public Policy Mark.

    (2002)
  • D. Ashenden et al.

    Can we sell security like soap?: a new approach to behaviour change

  • Bada, M., Sasse, A.M., and Nurse, J.R. 2019. "Cyber security awareness campaigns: why do they fail to change...
  • Beyer, M., Ahmed, S., Doerlemann, K., Arnell, S., Parkin, S., Sasse, M., and Passingham, N. 2015. "Awareness is only...
  • M.-.C. Boudreau et al.

    Enacting integrated information technology: a human agency perspective

    Organ. Sci.

    (2005)
  • P. Bowen et al.

    Sp 800-100. Information Security Handbook: a Guide for Managers

    (2006)
  • P. Carpenter

    Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors

    (2019)
  • S. Chatterjee et al.

    The behavioral roots of information systems security: exploring key factors related to unethical it use

    J. Manage. Inf. Syst.

    (2015)
  • P.E. Chaudhry et al.

    Developing a model for enterprise information systems security

    Econ. Manage. Financ. Mark.

    (2012)
  • J. Corbin et al.

    Basics of Qualitative Research

    (2015)
  • W.A. Cram et al.

    Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance

    MIS Q.

    (2019)
  • J. D’Arcy et al.

    A review and analysis of deterrence theory in the is security literature: making sense of the disparate findings

    Eur. J. Inf. Syst.

    (2011)
  • J. D’Arcy et al.

    User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach

    Inf. Syst. Res.

    (2009)
  • D. De Maeyer

    Setting up an effective information security awareness programme

  • K.M. Eisenhardt

    Building theories from case study research

    Acad. Manage. Rev.

    (1989)
  • ENISA. 2012. "Collaborative Awareness Raising for Eu Citizens & Smes." Retrieved from...
  • ENISA. 2017. "Cyber Security Culture in Organisations." Retrieved from...
  • T. Fertig et al.

    Current issues of metrics for information security awareness

  • J. French et al.

    Social Marketing Pocket Guide

    (2005)
  • J. French et al.

    Social Marketing and Public Health: Theory and Practice

    (2010)
  • J. French et al.

    Social Marketing Casebook

    (2011)
  • K. Glanz et al.

    Theory At a Glance: A Guide For Health Promotion Practice

    (1997)
  • Cited by (15)

    • Identifying information security opinion leaders in organizations: Insights from the theory of social power bases and social network analysis

      2022, Computers and Security
      Citation Excerpt :

      Kim et al. (2019) studied the moderating effect of InfoSec leaders’ perceived legitimacy on the direct impact of InfoSec awareness programs on the employees’ InfoSec compliance. More recent studies have recommended appointing InfoSec champions in organizations to improve organizational InfoSec (Alshaikh, 2020; Alshaikh et al., 2021; Alshaikh and Adamson, 2021; Uchendu et al., 2021). While there are many definitions of leadership, the concept can be defined as the process which involves an individual influencing other individuals to achieve some common goals (Northouse, 2018).

    View all citing articles on Scopus

    Dr Moneer Alshaikh is an Assistant Professor at the College of Computer Science and Engineering, Department of Cybersecurity, University of Jeddah, Saudi Arabia. He is also an Honorary Fellow at School of Computing and Information Systems, the University of Melbourne. Dr Moneer worked as a research fellow in cyber security at The Academic Centre of Cyber Security Excellence, School of Computing and Information Systems, the University of Melbourne. Dr Moneer is a certified Information Security Manager and ISO/IEC 27001 Implementer. His research interests include information security management, security awareness, and security behaviour change.

    Sean B. Maynard is an academic in the School of Computing and Information Systems, University of Melbourne, Australia. He has over 25 years of teaching experience at the undergraduate, postgraduate and executive training levels. His research interests are in the management of information security specifically relating to security policy, security culture, security governance, security strategy, security analytics, and incident response. His research has been published in high-impact journals such as Computers & Security and the International Journal of Information Management as well as leading conferences such as the International Conference on Information Systems. For more information, please visit https://www.seanmaynard.me/.

    Atif Ahmad is an Associate Professor at the University of Melbourne where he serves as Deputy Director for the Academic Centre of Cyber Security Excellence. Atif leads a unique team of Cybersecurity Management researchers drawn from information systems, business administration, security intelligence, and information warfare. He has authored over 90 scholarly articles in cybersecurity management and received over AUD$3.9 M in grant funding. Atif is an Associate Editor for the leading IT security journal, Computers & Security. Atif has previously served as a cybersecurity consultant for WorleyParsons, Pinkerton and SinclairKnightMerz. He is a Certified Protection Professional with the American Society for Industrial Security. For more information, please visit https://www.atifahmad.me/.

    View full text