Start Date
16-8-2018 12:00 AM
Description
Insecure user behavior and failure to identify phishing is a leading cause of information security breaches triggering increased company costs in keeping information secure. Training employees toward secure information systems (IS) behavior is a way for organizations to attempt keeping information secure. Herein we outline how using traditional goals for information security training is a contributing factor to continued rise of insecure employee behavior. We posit that the approach to information security training recommended in extant literature is failing because of focus on improving skills in procedural, policy, and compliance activities. We propose a model suggesting alternative goals and draws propositions regarding its effectiveness. The model is of interest to investigate if using a training design that includes goals/inputs matching tools and users, a training process matching inputs to methods, and knowledge transfer outcomes emphasizing affective and meta cognitive learning, has a positive impact on secure behavior when using IS. The paper presents a design science model for a training strategy regarding information systems secure behavior.
Recommended Citation
Torres, Henry G and Gupta, Saurabh, "The Misunderstood Link: Information Security Training Strategy" (2018). AMCIS 2018 Proceedings. 16.
https://aisel.aisnet.org/amcis2018/Security/Presentations/16
The Misunderstood Link: Information Security Training Strategy
Insecure user behavior and failure to identify phishing is a leading cause of information security breaches triggering increased company costs in keeping information secure. Training employees toward secure information systems (IS) behavior is a way for organizations to attempt keeping information secure. Herein we outline how using traditional goals for information security training is a contributing factor to continued rise of insecure employee behavior. We posit that the approach to information security training recommended in extant literature is failing because of focus on improving skills in procedural, policy, and compliance activities. We propose a model suggesting alternative goals and draws propositions regarding its effectiveness. The model is of interest to investigate if using a training design that includes goals/inputs matching tools and users, a training process matching inputs to methods, and knowledge transfer outcomes emphasizing affective and meta cognitive learning, has a positive impact on secure behavior when using IS. The paper presents a design science model for a training strategy regarding information systems secure behavior.