“Get a red-hot poker and open up my eyes, it's so boring”¹: employee perceptions of cybersecurity training
Date
2021
Authors
Reeves, A.
Calic, D.
Delfabbro, P.
Editors
Advisors
Journal Title
Journal ISSN
Volume Title
Type:
Journal article
Citation
Computers and Security, 2021; 106:1-13
Statement of Responsibility
A. Reeves, D. Calic, P.Delfabbro
Conference Name
Abstract
Organisations and security professionals design Security Education, Training, and Awareness (SETA) programs to improve cybersecurity behaviour, but they are often poorly received by employees. To understand employee negative perceptions of SETA programs, we conducted in-depth interviews with 20 Australian employees regarding their experiences with both SETA programs and non-cybersecurity related workplace training. As expected, employees had a generally poor view of SETA programs. They reported that the same factors that are important for effective non-cybersecurity training are also important for SETA programs, such as management role modelling and well-designed workplace systems. How-ever, the level of importance of these factors differed across the two contexts. For example, employees indicated that the misbehaviour of their colleagues is a more important factor for their appraisal of a SETA program than it is for a non-cybersecurity workplace training program. Our results suggest that employee perceptions of SETA programs relate to their previously held beliefs about cybersecurity threats, the content and delivery of the training program, the behaviour of others around them, and features of their organisation. From an
applied perspective, these findings can explain why employees often do not engage with cybersecurity training material, and how their current beliefs can influence their receptivity for future training.
School/Discipline
Dissertation Note
Provenance
Description
Access Status
Rights
Crown Copyright © 2021 Published by Elsevier Ltd. All rights reserved.