Lessons learned from an organizational information security awareness campaign

Juan Marc Scrimgeour; Jacques Ophoff

doi:10.1007/978-3-030-23451-5_10

Lessons learned from an organizational information security awareness campaign

Juan Marc Scrimgeour, Jacques Ophoff^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

49 Downloads (Pure)

Abstract

Educating end-users to improve information security awareness plays an important part in securing organizational environments. While best practice standards provide a set of minimum information security awareness controls that should be implemented, little guidance is given on how to implement these controls to ensure the effectiveness of training. This research defined and evaluated a method for implementing an information security awareness campaign (ISAC) within an organization. The method is based on prior research and standards, while assisting the subject in improving their ISAC through the creation of artefacts and measurement techniques. A design science research approach was used with several research cycles to design the method. The method was implemented within an organization and evaluated based on the impact, effectiveness and results of each step, as well as the feedback from participants (two questionnaires were completed by 47 and 36 employees respectively). The research found both positive and negative results. Certain steps within the method proved time consuming and confusing to some participants. Although improvements can be made, the method was found to be adequate as it achieved the required objective within the organization and provided the organization with a risk-based method and visual representation to measure awareness on specific information security awareness topics. The results of the study not only provided value to the organization but provides a validated method for implementing an ISAC which could be applied in other contexts.

Original language	English
Title of host publication	Information security education
Subtitle of host publication	education in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings
Editors	Lynette Drevin, Marianthi Theocharidou
Place of Publication	Cham
Publisher	Springer
Pages	129-142
Number of pages	14
ISBN (Electronic)	9783030234515
ISBN (Print)	9783030234508
DOIs	https://doi.org/10.1007/978-3-030-23451-5_10
Publication status	Published - 19 Jun 2019
Externally published	Yes
Event	12th World Conference on Information Security Education: Education in Proactive Information Security - Lisbon, Portugal Duration: 25 Jun 2019 → 27 Jun 2019 Conference number: 12th

Publication series

Name	IFIP Advances in Information and Communication Technology (IFIPAICT)
Publisher	Springer
Volume	557
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	12th World Conference on Information Security Education
Abbreviated title	WISE 12
Country	Portugal
City	Lisbon
Period	25/06/19 → 27/06/19

Access to Document

10.1007/978-3-030-23451-5_10

Ophoff_Lessons Learned from an Organizational Information_Accepted_2019Accepted author manuscript, 370 KB

Fingerprint Dive into the research topics of 'Lessons learned from an organizational information security awareness campaign'. Together they form a unique fingerprint.

Cite this

Scrimgeour, J. M., & Ophoff, J. (2019). Lessons learned from an organizational information security awareness campaign. In L. Drevin, & M. Theocharidou (Eds.), Information security education: education in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings (pp. 129-142). (IFIP Advances in Information and Communication Technology (IFIPAICT); Vol. 557). Springer. https://doi.org/10.1007/978-3-030-23451-5_10

Scrimgeour, Juan Marc ; Ophoff, Jacques. / Lessons learned from an organizational information security awareness campaign. Information security education: education in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings. editor / Lynette Drevin ; Marianthi Theocharidou. Cham : Springer, 2019. pp. 129-142 (IFIP Advances in Information and Communication Technology (IFIPAICT)).

@inproceedings{be33ae70ce044457b29e8d98272c5ac3,

title = "Lessons learned from an organizational information security awareness campaign",

abstract = "Educating end-users to improve information security awareness plays an important part in securing organizational environments. While best practice standards provide a set of minimum information security awareness controls that should be implemented, little guidance is given on how to implement these controls to ensure the effectiveness of training. This research defined and evaluated a method for implementing an information security awareness campaign (ISAC) within an organization. The method is based on prior research and standards, while assisting the subject in improving their ISAC through the creation of artefacts and measurement techniques. A design science research approach was used with several research cycles to design the method. The method was implemented within an organization and evaluated based on the impact, effectiveness and results of each step, as well as the feedback from participants (two questionnaires were completed by 47 and 36 employees respectively). The research found both positive and negative results. Certain steps within the method proved time consuming and confusing to some participants. Although improvements can be made, the method was found to be adequate as it achieved the required objective within the organization and provided the organization with a risk-based method and visual representation to measure awareness on specific information security awareness topics. The results of the study not only provided value to the organization but provides a validated method for implementing an ISAC which could be applied in other contexts.",

author = "Scrimgeour, {Juan Marc} and Jacques Ophoff",

year = "2019",

month = jun,

day = "19",

doi = "10.1007/978-3-030-23451-5_10",

language = "English",

isbn = "9783030234508",

series = "IFIP Advances in Information and Communication Technology (IFIPAICT)",

publisher = "Springer",

pages = "129--142",

editor = "Lynette Drevin and Marianthi Theocharidou",

booktitle = "Information security education",

note = "12th World Conference on Information Security Education : Education in Proactive Information Security, WISE 12 ; Conference date: 25-06-2019 Through 27-06-2019",

}

Scrimgeour, JM & Ophoff, J 2019, Lessons learned from an organizational information security awareness campaign. in L Drevin & M Theocharidou (eds), Information security education: education in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings. IFIP Advances in Information and Communication Technology (IFIPAICT), vol. 557, Springer, Cham, pp. 129-142, 12th World Conference on Information Security Education, Lisbon, Portugal, 25/06/19. https://doi.org/10.1007/978-3-030-23451-5_10

Lessons learned from an organizational information security awareness campaign. / Scrimgeour, Juan Marc; Ophoff, Jacques.

Information security education: education in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings. ed. / Lynette Drevin; Marianthi Theocharidou. Cham : Springer, 2019. p. 129-142 (IFIP Advances in Information and Communication Technology (IFIPAICT); Vol. 557).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Lessons learned from an organizational information security awareness campaign

AU - Scrimgeour, Juan Marc

AU - Ophoff, Jacques

N1 - Conference code: 12th

PY - 2019/6/19

Y1 - 2019/6/19

N2 - Educating end-users to improve information security awareness plays an important part in securing organizational environments. While best practice standards provide a set of minimum information security awareness controls that should be implemented, little guidance is given on how to implement these controls to ensure the effectiveness of training. This research defined and evaluated a method for implementing an information security awareness campaign (ISAC) within an organization. The method is based on prior research and standards, while assisting the subject in improving their ISAC through the creation of artefacts and measurement techniques. A design science research approach was used with several research cycles to design the method. The method was implemented within an organization and evaluated based on the impact, effectiveness and results of each step, as well as the feedback from participants (two questionnaires were completed by 47 and 36 employees respectively). The research found both positive and negative results. Certain steps within the method proved time consuming and confusing to some participants. Although improvements can be made, the method was found to be adequate as it achieved the required objective within the organization and provided the organization with a risk-based method and visual representation to measure awareness on specific information security awareness topics. The results of the study not only provided value to the organization but provides a validated method for implementing an ISAC which could be applied in other contexts.

AB - Educating end-users to improve information security awareness plays an important part in securing organizational environments. While best practice standards provide a set of minimum information security awareness controls that should be implemented, little guidance is given on how to implement these controls to ensure the effectiveness of training. This research defined and evaluated a method for implementing an information security awareness campaign (ISAC) within an organization. The method is based on prior research and standards, while assisting the subject in improving their ISAC through the creation of artefacts and measurement techniques. A design science research approach was used with several research cycles to design the method. The method was implemented within an organization and evaluated based on the impact, effectiveness and results of each step, as well as the feedback from participants (two questionnaires were completed by 47 and 36 employees respectively). The research found both positive and negative results. Certain steps within the method proved time consuming and confusing to some participants. Although improvements can be made, the method was found to be adequate as it achieved the required objective within the organization and provided the organization with a risk-based method and visual representation to measure awareness on specific information security awareness topics. The results of the study not only provided value to the organization but provides a validated method for implementing an ISAC which could be applied in other contexts.

U2 - 10.1007/978-3-030-23451-5_10

DO - 10.1007/978-3-030-23451-5_10

M3 - Conference contribution

AN - SCOPUS:85068311954

SN - 9783030234508

T3 - IFIP Advances in Information and Communication Technology (IFIPAICT)

SP - 129

EP - 142

BT - Information security education

A2 - Drevin, Lynette

A2 - Theocharidou, Marianthi

PB - Springer

CY - Cham

T2 - 12th World Conference on Information Security Education

Y2 - 25 June 2019 through 27 June 2019

ER -

Scrimgeour JM, Ophoff J. Lessons learned from an organizational information security awareness campaign. In Drevin L, Theocharidou M, editors, Information security education: education in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings. Cham: Springer. 2019. p. 129-142. (IFIP Advances in Information and Communication Technology (IFIPAICT)). https://doi.org/10.1007/978-3-030-23451-5_10