Lessons learned from an organizational information security awareness campaign

Juan Marc Scrimgeour, Jacques Ophoff*

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Downloads (Pure)

Abstract

Educating end-users to improve information security awareness plays an important part in securing organizational environments. While best practice standards provide a set of minimum information security awareness controls that should be implemented, little guidance is given on how to implement these controls to ensure the effectiveness of training. This research defined and evaluated a method for implementing an information security awareness campaign (ISAC) within an organization. The method is based on prior research and standards, while assisting the subject in improving their ISAC through the creation of artefacts and measurement techniques. A design science research approach was used with several research cycles to design the method. The method was implemented within an organization and evaluated based on the impact, effectiveness and results of each step, as well as the feedback from participants (two questionnaires were completed by 47 and 36 employees respectively). The research found both positive and negative results. Certain steps within the method proved time consuming and confusing to some participants. Although improvements can be made, the method was found to be adequate as it achieved the required objective within the organization and provided the organization with a risk-based method and visual representation to measure awareness on specific information security awareness topics. The results of the study not only provided value to the organization but provides a validated method for implementing an ISAC which could be applied in other contexts.

Original languageEnglish
Title of host publicationInformation security education
Subtitle of host publicationeducation in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings
EditorsLynette Drevin, Marianthi Theocharidou
Place of PublicationCham
PublisherSpringer
Pages129-142
Number of pages14
ISBN (Electronic)9783030234515
ISBN (Print)9783030234508
DOIs
Publication statusPublished - 19 Jun 2019
Externally publishedYes
Event12th World Conference on Information Security Education: Education in Proactive Information Security - Lisbon, Portugal
Duration: 25 Jun 201927 Jun 2019
Conference number: 12th

Publication series

NameIFIP Advances in Information and Communication Technology (IFIPAICT)
PublisherSpringer
Volume557
ISSN (Print)1868-4238
ISSN (Electronic)1868-422X

Conference

Conference12th World Conference on Information Security Education
Abbreviated titleWISE 12
CountryPortugal
CityLisbon
Period25/06/1927/06/19

Fingerprint Dive into the research topics of 'Lessons learned from an organizational information security awareness campaign'. Together they form a unique fingerprint.

  • Cite this

    Scrimgeour, J. M., & Ophoff, J. (2019). Lessons learned from an organizational information security awareness campaign. In L. Drevin, & M. Theocharidou (Eds.), Information security education: education in proactive information security: 12th IFIP WG 11.8 world conference WISE 12, Lisbon, Portugal, June 25–27, 2019, proceedings (pp. 129-142). (IFIP Advances in Information and Communication Technology (IFIPAICT); Vol. 557). Springer. https://doi.org/10.1007/978-3-030-23451-5_10