Affiliated Organization

Proceedings of JAIS Theory Development Workshop


Employee non-compliance with information systems (IS) security policies is a key concern for organisations. To tackle this problem, scholars have advanced several IS security training approaches. Despite the fact that the importance of having effective training is understood by scholars and practitioners, IS security training is largely a theoretically underdeveloped area. To this end, we advance a meta-theory for IS security training, based on Hare’s theory of three levels of thinking. It is a meta-theory because it suggests that IS security training has certain fundamental characteristics which separate it from other forms of training, and it advances pedagogical requirements for the design and evaluation of IS security training approaches. After sketching this meta-theory, including four pedagogical requirements for IS security training approaches, we show that no existing IS security training approach meets all of these requirements. To this end, we put forth an IS security training approach which meets all these requirements.For scholars, this study offers new theoretical insights into the fundamental characteristics of IS security training; a set of principles for designing and evaluating IS security training approaches; and an agenda for future research on IS security training. For practitioners designing and implementing IS security training at organisations, this study offers principles for designing effective IS security training approaches in practice.