Applying social marketing to evaluate current security education training and awareness programs in organisations

The effectiveness of cybersecurity management programs is contingent on improving employee security behaviour. Security education, training, and awareness (SETA) programs aim to drive positive behaviour change in support of cybersecurity objectives. In this paper, we argue that existing SETA programs are suboptimal as they aim to improve employee knowledge acquisition rather than behaviour and belief. We apply social marketing principles to examine SETA practices across six organisations. We find that SETA programs fail to implement the key principles and concepts of social marketing that are essential for positive behaviour change. We therefore propose a novel development process for SETA based on a social marketing approach. We explain how the new approach can be used to develop SETA programs that are focused on behaviour change. (C) 2020 Elsevier Ltd. All rights reserved.

Automated summary

This paper discusses the shortcomings of existing Security Education, Training and Awareness programs, which focus on knowledge acquisition rather than behavior change. Research reveals that these programs fail to implement key principles of social marketing, limiting their effectiveness in promoting positive behavior change. A new development process based on social marketing principles is proposed to enable Security Education, Training and Awareness programs to focus more on behavior change initiatives.