Journal
COMPUTERS & SECURITY
Volume 100, Issue -, Pages -Publisher
ELSEVIER ADVANCED TECHNOLOGY
DOI: 10.1016/j.cose.2020.102090
Keywords
Information security education training and awareness; Behavioural information security; Behaviour change; Social marketing; Security interventions
Categories
Ask authors/readers for more resources
This paper discusses the shortcomings of existing Security Education, Training and Awareness programs, which focus on knowledge acquisition rather than behavior change. Research reveals that these programs fail to implement key principles of social marketing, limiting their effectiveness in promoting positive behavior change. A new development process based on social marketing principles is proposed to enable Security Education, Training and Awareness programs to focus more on behavior change initiatives.
The effectiveness of cybersecurity management programs is contingent on improving employee security behaviour. Security education, training, and awareness (SETA) programs aim to drive positive behaviour change in support of cybersecurity objectives. In this paper, we argue that existing SETA programs are suboptimal as they aim to improve employee knowledge acquisition rather than behaviour and belief. We apply social marketing principles to examine SETA practices across six organisations. We find that SETA programs fail to implement the key principles and concepts of social marketing that are essential for positive behaviour change. We therefore propose a novel development process for SETA based on a social marketing approach. We explain how the new approach can be used to develop SETA programs that are focused on behaviour change. (C) 2020 Elsevier Ltd. All rights reserved.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available