Security Education,training And Awareness Program And Employees’ Security Behavior

Information security has become increasingly vital to organizations due to the rapid growth of digital transactions and information sharing within and across organizations.The truth is,for most organizations,their biggest information security threat is their own staff.Current academics and practitioners have developed various information security countermeasures to combat the security threat caused by the insiders,unfortunately,for most of them,the results are highly mixed.In a stark contrast,research has shown that the security education,training,and awareness(SETA)program is the key to addressing “people problems” in information systems(IS)security.SETA is more effective to counter internal security threats and promote employees’ security behaviors.Contrary to the dominant approach,which views SETA as a simple,single construct,we argue that the attributes of SETA are the key determinants of the programs’ impact on individuals.Based on the event systems theory,we adopted an“event” lens to conceputalize SETA program as an event.More specifically,we bridge this gap by using event system theory(EST)to conceptualize SETA programs as“organization events” and empirically investigated whether—and if so,how—the strength dimension of SETA event impact employees’ intentions to comply with security policy(i.e.,in-role behavioral intentions)and extra-role behavioral intentions.Moreover,we went a step further by examining how managerial approaches to the SETA program affect employees’ perceptions of the SETA event and their subsequent intention and behavior.Based on the IS security literature,we identify two types of managerial approaches: pedagogical approaches and communication approaches.Furthermore,we developed and empirically tested a model of these relationships.The results of this research advance the understanding of SETA attributes and their impacts on employees’ compliance intentions and extra-role behavioral intentions from the EST perspective.The results suggest that the novelty of SETA event is more effective in fueling extra-role behavioral intention than compliance intention.The results also suggest that criticality exerts a similar positive influence on both compliance and extra-role behavioral intention,while the disruption of SETA event has a significant negative effect on these two intentions.Further,there is evidence that the negative relationship between SETA event disruption and two security behavioral intentions is stronger when the SETA event is dispersed throughout a wide range of organizational hierarchy levels.In addition,the results of this research showed that the pedagogical approach was more effective compare to communication approach and that employees’ perceptions of the SETA program accounted for a large variance in SETA commitment.Furthermore,the theoretical and practical implications of these results for IS security are presented.