Location
Online
Event Website
https://hicss.hawaii.edu/
Start Date
3-1-2023 12:00 AM
End Date
7-1-2023 12:00 AM
Description
Information security education, training, and awareness (SETA) are approaches to changing end-users’ security behavior. Research into SETA has conducted interventions to study the effects of SETA on security behavior. However, we lack aggregated knowledge on ‘how do SETA interventions influence security behavior?’. This study reviews 21 empirical SETA intervention studies published across the top IS journals. The theoretical findings show that the research has extended Protection Motivation Theory by (1) enhancements to fear appeals; (2) drawing attention to relevance; (3) incorporating temporality; (4) and shifting from intentions to behavior. In terms of behavior, the SETA interventions have targeted (1) information security policy compliance behavior; and (2) information protection behavior. We argue that while these studies have provided insights into security intentions and behavior, knowledge on designing effective SETA training has remained primarily anecdotal. We contribute (1) by pointing out gaps in the knowledge; and (2) by proposing tentative design recommendations.
Recommended Citation
Nwachukwu, Uchechukwu; Vidgren, Jiri; Niemimaa, Marko; and Järveläinen, Jonna, "Do SETA Interventions Change Security Behavior? – A Literature Review" (2023). Hawaii International Conference on System Sciences 2023 (HICSS-56). 8.
https://aisel.aisnet.org/hicss-56/os/socio-technical_issues_in_it/8
Do SETA Interventions Change Security Behavior? – A Literature Review
Online
Information security education, training, and awareness (SETA) are approaches to changing end-users’ security behavior. Research into SETA has conducted interventions to study the effects of SETA on security behavior. However, we lack aggregated knowledge on ‘how do SETA interventions influence security behavior?’. This study reviews 21 empirical SETA intervention studies published across the top IS journals. The theoretical findings show that the research has extended Protection Motivation Theory by (1) enhancements to fear appeals; (2) drawing attention to relevance; (3) incorporating temporality; (4) and shifting from intentions to behavior. In terms of behavior, the SETA interventions have targeted (1) information security policy compliance behavior; and (2) information protection behavior. We argue that while these studies have provided insights into security intentions and behavior, knowledge on designing effective SETA training has remained primarily anecdotal. We contribute (1) by pointing out gaps in the knowledge; and (2) by proposing tentative design recommendations.
https://aisel.aisnet.org/hicss-56/os/socio-technical_issues_in_it/8