Deliver security awareness training, then repeat

{deliver; measure efficacy}

Tapiwa Gundu, Stephen Flowerday, Karen Renaud

Research output: Chapter in Book/Report/Conference proceedingConference contribution

29 Downloads (Pure)

Abstract

Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.

This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.

The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.
Original languageEnglish
Title of host publication2019 Conference on Information Communications Technology and Society (ICTAS)
PublisherIEEE
Number of pages6
ISBN (Electronic)9781538673652
ISBN (Print)9781538673669
DOIs
Publication statusPublished - 2 May 2019
EventInformation Communications Technology and Society Conference - Blue Waters Hotel, Marine Parade, Durban, South Africa
Duration: 6 Mar 20197 Mar 2019
Conference number: 3rd
http://www.ictas2019.com/

Conference

ConferenceInformation Communications Technology and Society Conference
Abbreviated titleIEEE ICTAS
CountrySouth Africa
CityDurban
Period6/03/197/03/19
Internet address

Fingerprint

Security of data

Cite this

Gundu, T., Flowerday, S., & Renaud, K. (2019). Deliver security awareness training, then repeat: {deliver; measure efficacy}. In 2019 Conference on Information Communications Technology and Society (ICTAS) IEEE . https://doi.org/10.1109/ICTAS.2019.8703523
Gundu, Tapiwa ; Flowerday, Stephen ; Renaud, Karen. / Deliver security awareness training, then repeat : {deliver; measure efficacy}. 2019 Conference on Information Communications Technology and Society (ICTAS). IEEE , 2019.
@inproceedings{064fef069ab140b4924a66a3fa15d53b,
title = "Deliver security awareness training, then repeat: {deliver; measure efficacy}",
abstract = "Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100{\%}. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.",
author = "Tapiwa Gundu and Stephen Flowerday and Karen Renaud",
year = "2019",
month = "5",
day = "2",
doi = "10.1109/ICTAS.2019.8703523",
language = "English",
isbn = "9781538673669",
booktitle = "2019 Conference on Information Communications Technology and Society (ICTAS)",
publisher = "IEEE",

}

Gundu, T, Flowerday, S & Renaud, K 2019, Deliver security awareness training, then repeat: {deliver; measure efficacy}. in 2019 Conference on Information Communications Technology and Society (ICTAS). IEEE , Information Communications Technology and Society Conference, Durban, South Africa, 6/03/19. https://doi.org/10.1109/ICTAS.2019.8703523

Deliver security awareness training, then repeat : {deliver; measure efficacy}. / Gundu, Tapiwa; Flowerday, Stephen; Renaud, Karen.

2019 Conference on Information Communications Technology and Society (ICTAS). IEEE , 2019.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Deliver security awareness training, then repeat

T2 - {deliver; measure efficacy}

AU - Gundu, Tapiwa

AU - Flowerday, Stephen

AU - Renaud, Karen

PY - 2019/5/2

Y1 - 2019/5/2

N2 - Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.

AB - Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.

U2 - 10.1109/ICTAS.2019.8703523

DO - 10.1109/ICTAS.2019.8703523

M3 - Conference contribution

SN - 9781538673669

BT - 2019 Conference on Information Communications Technology and Society (ICTAS)

PB - IEEE

ER -

Gundu T, Flowerday S, Renaud K. Deliver security awareness training, then repeat: {deliver; measure efficacy}. In 2019 Conference on Information Communications Technology and Society (ICTAS). IEEE . 2019 https://doi.org/10.1109/ICTAS.2019.8703523