The Impact of Information Security Awareness Training on Information Security Behaviour: The Case for Further Research

Information Security awareness initiatives are seen as critical to any information security programme. But, how do we determine the effectiveness of these awareness initiatives? We could get our employees to write a test afterwards to determine how well they understand the policies, but this does not show how it affects the employee’s on the job behaviour. Does awareness training have a direct influence on the security behaviour of individuals, and what is the direct benefit of awareness training? This paper represents a study in progress that aims to answer the question: to what extent does information security awareness training influence information security behaviour? Research carried out on information security has traditionally been slanted towards technical aspects of security, typically rooted in computer science and mathematics. Security was traditionally seen as a service to be provided and not something that was influenced by users. However, it was soon recognised that focusing on technical issues alone is inadequate. Technologies meant to provide security ultimately depend on the effective implementation and operation of these technologies by people. Thus awareness of policies is needed by all individuals in an organisation to ensure that policies are well understood and not misinterpreted. Some researchers have maintained that educating users is futile mainly because it is believed that it is difficult to teach users complex security issues and secondly, because security is seen as secondary by the user they will not pay enough attention to it. This paper reflects research in progress and discusses some of the problems with existing information security awareness research and proposes a model to be tested for examining the impact of information security awareness training on information security behaviour.