Abstract | Information security (InfoSec) is concerned with protecting the confidentially, integrity and availability of information and information systems. InfoSec has traditionally been considered a technology problem with much attention often focused on technical solutions. However, technology alone cannot deal with all InfoSec risks. Research shows that an overwhelming percentage of InfoSec breaches are caused by human errors. It is ultimately the end users in any organisation that are the primary line of defence. Whilst security breaches can be attributed to a variety of factors, inadequate user awareness training always features prominently. Awareness training programmes are often identified as a key contributor to changing user behaviour in order to achieve optimum security. However, research shows that whilst many organisations implement such programmes, security breaches resulting from human errors are still rampant which calls into question the effectiveness of existing InfoSec awareness programmes. This encapsulates the phenomenon that is the focus of this study. This phenomenological study investigated the shortcomings in existing InfoSec awareness training programmes (vis-à-vis human errors) based on a literature survey of internationally peer-reviewed books, professional practice literature, journal papers, articles, policy documents and global security surveys. In addition, semi-structured, in depth, open-ended interviews were conducted involving eight InfoSec academics and practitioners to understand their lived experiences and perspectives about the phenomenon in question. The research participants were encouraged to share their experiences of researching InfoSec threats and countermeasures as well as implementing and managing InfoSec awareness training programmes. The experiences shared by the participants offered valuable and practical insights into important issues surrounding human factors contributing to human errors, nature of security threats, the psychological aspects of human behaviour and factors contributing to the ineffectiveness (and effectiveness) of awareness training programmes. Interpretive Phenomenological Analysis (IPA) was used to analyse participants’ responses to interview questions in order to help answer the research question. The analysis culminated in the formation of valuable and practical guidelines, corroborated by academic, industrial, and professional practice research literature as well as my own professional knowledge and experience. The guidelines offered here will help to improve the processes and practices used to develop and implement effective InfoSec awareness programmes and can be built into future awareness programmes to reduce security breaches resulting from human errors. The guidelines will benefit a range of groups within my professional community including myself, InfoSec academics, InfoSec practitioners, organisational leaders, managers, chief information officers, chief information security officers, systems administrators, and end users. The outcome of this study contributes to the scientific knowledge and understanding of an important phenomenon and offers InfoSec researchers a springboard for further explorations into issues related to InfoSec awareness training and human behaviour. The essences of the experiences shared by research participants in this study also serve as a catalyst for further research. |
---|