Abstract
This paper argues that a conventional approach to cybersecurity awareness is not effective in influencing employees and creating sustainable behaviour change. The increase in security incidents caused by employees is evidence that providing information to raise employees’ awareness does not necessarily result in improving their security behaviour, and organisations must transform their security awareness program to extend beyond awareness to influence and behaviour change. This paper presents an in-depth case study of Telstra a leading Australian telecommunication company with a well-resourced and mature cybersecurity influence program that evolved as a result of experience throughout the years. The paper adopts the psychological attachment theory to explain strategies (e.g. cybersecurity champion) implemented by Telstra influence team to influence employees to improve their security-related behaviour. The contribution of this paper represents the first step for a comprehensive practice-based guidance for organisations on how to transform their cybersecurity beyond awareness to influence behavioural change. This paper is based on both academic and industrial perspectives, and it provides a sound basis for future empirical work.
Similar content being viewed by others
References
Office of the Australian Information Commissioner (2019) Notifiable data breaches quarterly statistics report. Retrieved from https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/. Accessed 03 Sep 2020
Borys S (2019) Inside a massive cyber hack that risks compromising leaders across the globe. Australian Broadcasting Corporation News. Retrieved from https://www.abc.net.au/news/2019-10-02/anu-cyber-hack-how-personal-information-got-out/11550578?nw=0. Accessed 03 Sep 2020
Carpenter P (2019) Transformational security awareness: What neuroscientists, storytellers, and marketers can teach us about driving secure behaviors: John Wiley & Sons
Beyer M, Ahmed S, Doerlemann K, Arnell S, Parkin S, Sasse M, Passingham N (2015) Awareness is only the first step: A framework for progressive engagement of staff in cyber security, Hewlett Packard, Busine. Retrieved from https://www.riscs.org.uk/wp-content/uploads/2015/12/Awareness-is-Only-the-First-Step.pdf. Accessed 03 Sep 2020
Alshaikh M, Naseer H, Ahmad A, Maynard SB (2019) Toward sustainable behaviour change: an approach for cyber security education training and awareness. In: In Proceedings of the 27th European Conference on Information Systems (ECIS), Stockholm & Uppsala, Sweden
Bada M, Sasse AM, Nurse JR (2019) Cyber security awareness campaigns: why do they fail to change behaviour? arXiv preprint arXiv:190102672
SANS (2019) The rising era of awareness training. Retrieved from https://www.knowbe4.com/hubfs/SANS-Security-Awareness-Report-2019.pdf. Accessed 03 Sep 2020
NTT Security (2019) Global threat intelligence report. Retrieved from https://www.nttsecurity.com/docs/librariesprovider3/resources/2019-gtir/2019_gtir_report_2019_uea_v2.pdf. Accessed 03 Sep 2020
Kelly MP, Barker M (2016) Why is changing health-related behaviour so difficult? Public Health 136:109–116
Cram WA, D’Arcy J, Proudfoot JG (2019) Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Q 43(2):525–554. https://doi.org/10.25300/MISQ/2019/15117
Fertig T, Schütz AE, Weber K (2020) Current issues of metrics for information security awareness. In: In Proceedings of the 28th European Conference on Information Systems (ECIS), An Online AIS Conference
Alshaikh M, Maynard SB, Ahmad A, Chang S (2018) An exploratory study of current information security training and awareness practices in organizations. Paper presented at the Proceedingsofthe51st Hawaii International Conference on System Sciences, Hawaii, US
Information Security Forum (ISF). (2014). From Promoting Awareness to Embedding Behaviours. Retrieved from https://www.securityforum.org/uploads/2015/03/From-Promoting-Awareness-ES-2014_Marketing.pdf. Accessed 03 Sep 2020
Park M, Chai S (2018) Internalization of information security policy and information security practice: a comparison with compliance. In: Proceedings of the 51st Hawaii International Conference on System Sciences
Alshaikh M (2020) Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security 98:102003. https://doi.org/10.1016/j.cose.2020.102003
Alshaikh M, Maynard SB, Ahmad A (2021) Applying social marketing to evaluate current security education training and awareness programs in organisations. Computers & Security 100:102090. https://doi.org/10.1016/j.cose.2020.102090
Alshaikh M, Maynard SB, Ahmad A (2020) Security education, training, and awareness: Incorporating a social marketing approach for behavioural change. In: Venter H, Loock M, Coetzee M, Eloff M, Eloff J, Botha R. (eds) Information and Cyber Security, ISSA. Communications in Computer and Information Science, vol 1339. Springer, Cham. https://doi.org/10.1007/978-3-030-66039-0_6
Kelman HC (1958) Compliance, identification, and internalization: three processes of attitude change. J Confl Resolut 2(1):51–60
Straub DW Jr (1990) Effective IS security: an empirical study. Inf Syst Res 1(3):255–276
D’Arcy J, Hovav A, Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf Syst Res 20(1):79–98
Siponen M, Vance A (2010) Neutralization: new insights into the problem of employee information systems security policy violations. MIS Q 34:487–502
Willison R, Warkentin M, Johnston AC (2018) Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives. Inf Syst J 28(2):266–293. https://doi.org/10.1111/isj.12129
Guo KH, Yuan Y, Archer NP, Connelly CE (2011) Understanding nonmalicious security violations in the workplace: a composite behavior model. J Manag Inf Syst 28(2):203–236. https://doi.org/10.2753/MIS0742-1222280208
Lebek B, Uffen J, Breitner MH, Neumann M, Hohler B (2013) Employees’ information security awareness and behavior: a literature review. In: System Sciences (HICSS), 2013 46th Hawaii International Conference on, 7-10 Jan. 2013. pp 2978-2987. https://doi.org/10.1109/hicss.2013.192
Rosemann M, Vessey I (2008) Toward improving the relevance of information systems research to practice: the role of applicability checks. MIS Q 32(1):1–22. https://doi.org/10.2307/25148826
Puhakainen P, Siponen M (2010) Improving employees’ compliance through information systems security training: an action research study. MIS Q 34(4):757–778
Karjalainen M, Siponen M (2011) Toward a new meta-theory for designing information systems (IS) security training approaches. J Assoc Inf Syst 12(8):518–555
Lu Z, Cui T, Tong Y, Wang W (2020) Examining the effects of social influence in pre-adoption phase and initial post-adoption phase in the healthcare context. Inf Manag 57(3):103195
Padgett DK (2016) Qualitative methods in social work research, vol 36. Sage publications
Gaya H, Smith E (2016) Developing a qualitative single case study in the strategic management realm: an appropriate research design. Int J Bus Manag Econ Res 7(2):529–538
Yin RK (2017) Case study research and applications: design and methods. Sage publications
Beautement A, Becker I, Parkin S, Krol K, Sasse A (2016) Productive security: A scalable methodology for analysing employee security behaviours. Paper presented at the Twelfth Symposium on Usable Privacy and Security, Denver, CO
Sasse A (2015) Scaring and bullying people into security won’t work. IEEE Secur Privacy 13(3):80–83. https://doi.org/10.1109/MSP.2015.65
Boss SR, Kirsch LJ, Angermeier I, Shingler RA, Boss RW (2009) If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur J Inf Syst 18(2):151–164
SANS (2018) Security awareness report: Building successful security awareness programs. Retrieved from https://www.sans.org/security-awareness-training/reports/2018-security-awareness-report. Accessed 03 Sep 2020
de Bruijn H, Janssen M (2017) Building cybersecurity awareness: the need for evidence-based framing strategies. Gov Inf Q 34(1):1–7. https://doi.org/10.1016/j.giq.2017.02.007
Pfleeger SL, Sasse MA, Furnham A (2014) From weakest link to security hero: transforming staff security behavior. J Homeland Secur Emerg Manag 11(4):489–510
ENISA (2017) Cyber security culture in organisations. Retrieved from https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations. Accessed 03 Sep 2020
Krebs on Security (2018) Half of all phishing sites now have the padlock. Retrieved from https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/comment-page-1/. Accessed 03 Sep 2020
Acknowledgments
We would like to thank the cyber influence team for sharing their experience and providing feedback and comments on the manuscript.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Alshaikh, M., Adamson, B. From awareness to influence: toward a model for improving employees’ security behaviour. Pers Ubiquit Comput 25, 829–841 (2021). https://doi.org/10.1007/s00779-021-01551-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-021-01551-2