Deliver security awareness training, then repeat: {deliver; measure efficacy}

Tapiwa Gundu, Stephen Flowerday, Karen Renaud

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Citations (Scopus)
366 Downloads (Pure)


Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.

This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.

The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.
Original languageEnglish
Title of host publication2019 Conference on Information Communications Technology and Society (ICTAS)
Number of pages6
ISBN (Electronic)9781538673652
ISBN (Print)9781538673669
Publication statusPublished - 2 May 2019
EventInformation Communications Technology and Society Conference - Blue Waters Hotel, Marine Parade, Durban, South Africa
Duration: 6 Mar 20197 Mar 2019
Conference number: 3rd


ConferenceInformation Communications Technology and Society Conference
Abbreviated titleIEEE ICTAS
Country/TerritorySouth Africa
Internet address


  • Information security awareness
  • Information security assessment
  • Intention behaviour gap


Dive into the research topics of 'Deliver security awareness training, then repeat: {deliver; measure efficacy}'. Together they form a unique fingerprint.

Cite this