Deliver security awareness training, then repeat: {deliver; measure efficacy}

Tapiwa Gundu, Stephen Flowerday, Karen Renaud

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Downloads (Pure)

Abstract

Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.

This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.

The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.
Original languageEnglish
Title of host publication2019 Conference on Information Communications Technology and Society (ICTAS)
PublisherIEEE
Number of pages6
ISBN (Electronic)9781538673652
DOIs
Publication statusE-pub ahead of print - 2 May 2019
EventInformation Communications Technology and Society Conference - Blue Waters Hotel, Marine Parade, Durban, South Africa
Duration: 6 Mar 20197 Mar 2019
Conference number: 3rd
http://www.ictas2019.com/

Conference

ConferenceInformation Communications Technology and Society Conference
Abbreviated titleIEEE ICTAS
CountrySouth Africa
CityDurban
Period6/03/197/03/19
Internet address

Fingerprint

Security of data

Cite this

Gundu, T., Flowerday, S., & Renaud, K. (2019). Deliver security awareness training, then repeat: {deliver; measure efficacy}. In 2019 Conference on Information Communications Technology and Society (ICTAS) IEEE . https://doi.org/10.1109/ICTAS.2019.8703523
Gundu, Tapiwa ; Flowerday, Stephen ; Renaud, Karen. / Deliver security awareness training, then repeat : {deliver; measure efficacy}. 2019 Conference on Information Communications Technology and Society (ICTAS). IEEE , 2019.
@inproceedings{064fef069ab140b4924a66a3fa15d53b,
title = "Deliver security awareness training, then repeat: {deliver; measure efficacy}",
abstract = "Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100{\%}. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.",
author = "Tapiwa Gundu and Stephen Flowerday and Karen Renaud",
year = "2019",
month = "5",
day = "2",
doi = "10.1109/ICTAS.2019.8703523",
language = "English",
booktitle = "2019 Conference on Information Communications Technology and Society (ICTAS)",
publisher = "IEEE",

}

Gundu, T, Flowerday, S & Renaud, K 2019, Deliver security awareness training, then repeat: {deliver; measure efficacy}. in 2019 Conference on Information Communications Technology and Society (ICTAS). IEEE , Information Communications Technology and Society Conference, Durban, South Africa, 6/03/19. https://doi.org/10.1109/ICTAS.2019.8703523

Deliver security awareness training, then repeat : {deliver; measure efficacy}. / Gundu, Tapiwa; Flowerday, Stephen; Renaud, Karen.

2019 Conference on Information Communications Technology and Society (ICTAS). IEEE , 2019.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Deliver security awareness training, then repeat

T2 - {deliver; measure efficacy}

AU - Gundu, Tapiwa

AU - Flowerday, Stephen

AU - Renaud, Karen

PY - 2019/5/2

Y1 - 2019/5/2

N2 - Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.

AB - Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.

U2 - 10.1109/ICTAS.2019.8703523

DO - 10.1109/ICTAS.2019.8703523

M3 - Conference contribution

BT - 2019 Conference on Information Communications Technology and Society (ICTAS)

PB - IEEE

ER -

Gundu T, Flowerday S, Renaud K. Deliver security awareness training, then repeat: {deliver; measure efficacy}. In 2019 Conference on Information Communications Technology and Society (ICTAS). IEEE . 2019 https://doi.org/10.1109/ICTAS.2019.8703523