From awareness to influence: toward a model for improving employees’ security behaviour

被引:2
作者
Alshaikh M. [1 ]
Adamson B. [2 ]
机构
[1] Department of Cybersecurity, College of Computer Science and Engineering, University of Jeddah, 6420 University of Jeddah Road, P.O. Box 13151, Jeddah
[2] Cyber Influence, Telstra, Melbourne
来源
Personal and Ubiquitous Computing | 2021年 / 25卷 / 05期
关键词
Behaviour change; cybersecurity awareness; Cybersecurity champion; Cybersecurity influence; Cybersecurity influence strategies; Information security management;
D O I
10.1007/s00779-021-01551-2
中图分类号
学科分类号
摘要
This paper argues that a conventional approach to cybersecurity awareness is not effective in influencing employees and creating sustainable behaviour change. The increase in security incidents caused by employees is evidence that providing information to raise employees’ awareness does not necessarily result in improving their security behaviour, and organisations must transform their security awareness program to extend beyond awareness to influence and behaviour change. This paper presents an in-depth case study of Telstra a leading Australian telecommunication company with a well-resourced and mature cybersecurity influence program that evolved as a result of experience throughout the years. The paper adopts the psychological attachment theory to explain strategies (e.g. cybersecurity champion) implemented by Telstra influence team to influence employees to improve their security-related behaviour. The contribution of this paper represents the first step for a comprehensive practice-based guidance for organisations on how to transform their cybersecurity beyond awareness to influence behavioural change. This paper is based on both academic and industrial perspectives, and it provides a sound basis for future empirical work. © 2021, The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature.
引用
收藏
页码:829 / 841
页数:12
相关论文
共 35 条
[1]  
Office of the Australian Information Commissioner (2019) Notifiable Data Breaches Quarterly Statistics Report, (2020)
[2]  
Borys S., (2019)
[3]  
Transformational security awareness: What neuroscientists, storytellers, And Marketers Can Teach Us about Driving Secure Behaviors: John Wiley & Sons, (2019)
[4]  
Beyer M., Ahmed S., Doerlemann K., Arnell S., Parkin S., Sasse M., Passingham N., (2015)
[5]  
Toward sustainable behaviour change: An approach for cyber security education training and awareness. In: In Proceedings of the 27th European Conference on Information Systems (ECIS), Stockholm &, (2019)
[6]  
Cyber security awareness campaigns: Why do they fail to change behaviour?, Arxiv Preprint Arxiv:190102672, (2019)
[7]  
Kelly M.P., Barker M., Why is changing health-related behaviour so difficult?, Public Health, 136, pp. 109-116, (2016)
[8]  
Cram W.A., D'Arcy J., Proudfoot J.G., Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance, MIS Q, 43, 2, pp. 525-554, (2019)
[9]  
Fertig T., Schutz A.E., Weber K., Current issues of metrics for information security awareness, In: In Proceedings of the 28Th European Conference on Information Systems, (2020)
[10]  
Alshaikh M., Maynard S.B., Ahmad A., Chang S., An exploratory study of current information security training and awareness practices in organizations, Proceedingsofthe51st Hawaii International Conference on System Sciences, (2018)
1234