Deliver Security Awareness Training, then Repeat: {Deliver; Measure Efficacy}

Tapiwa Gundu, Stephen Flowerday, Karen Renaud
2019 2019 Conference on Information Communications Technology and Society (ICTAS)  
Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate posttraining self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours. This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by
more » ... TE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times. The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.
doi:10.1109/ictas.2019.8703523 fatcat:etwihmi5snhw3ph6tgovbubnvu