https://orcid.org/0000-0002-9142-4508
![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
ABSTRACT
Information security policy (ISP) training plays an important role in enhancing organisational resilience against cyber threats by providing employees with the necessary knowledge and skills to effectively identify, prevent, and respond to security breaches. This research aims to explore how the use of deterrence arguments and threat arguments can enhance the effectiveness of ISP training. We theorise how ISP training affects employees’ ISP compliance behaviour by arguing for a transfer of training lens to study the effectiveness of ISP training. The results of our field experiment with triangulated data suggest that the effect of argumentative-enhanced ISP training is twofold. First, employees who participated in enhanced training sessions with deterrence and threat arguments demonstrated superior training outputs after the training, which, in turn, translated into a sustained training outcome three weeks after the training. Second, we also find evidence that threat arguments can reinforce the application of training outputs in the maintenance stage of learned behaviours. With this applied research study, we contribute to the research and practice by providing empirical evidence of the effectiveness of ISP training designs.
Acknowledgements
This research paper has been developed as part of the research project “KISK” funded by the German Federal Ministry of Health (Grant number: ZMI1-2521FSB80A-B). We would like to thank the Federal Ministry of Health for the support. We also want to thank for the research sponsorship received by the Government of Spain and the European Regional Development Fund (European Union) (Research Projects PID2021-124725NB-I00, PID2021-124396NB-I00, and TED2021-130104B-I00).
Disclosure statement
No potential conflict of interest was reported by the author(s).
Supplemental data
Supplemental data for this article can be accessed online at https://doi.org/10.1080/0960085X.2024.2359460.
Notes
1. Argumentative enhancements are persuasive messages integrated into SETA programs, aiming to enforce compliance behaviour by instilling fear, such as detailing the potential consequences of security threats and the personal ramifications of non-compliant behaviour (Wall & Buche, Citation2017; Witte, Citation1992).
2. At Company D, we had the opportunity to collect data over a timeframe of several weeks, enabling us to examine the long-term effects of ISP training design on ISP behaviour change maintenance. At Companies A, B, and C, we encountered company-specific data collection constraints, which limited our ability to measure ISP training outcomes solely after the training.
3. While research suggests that employing individualised message rhetoric, including the use of personally relevant language, can significantly impact security behaviour (A. C. Johnston et al., Citation2023, Citation2019), we have chosen not to use personally relevant language in our threat and deterrence arguments. This decision is grounded in the fact that onsite trainings typically involve diverse groups with individuals holding varying roles and responsibilities, making the creation of individualised messages challenging. Our messages are designed to resonate personally with employees. For instance, the deterrence messages integrated into the ISP training emphasise the potential consequences of sanctions for individual employees, making the content personally relevant. Furthermore, by heightening awareness about potential threats that could disrupt operations at the employee’s, departmental, or organisational level, our aim is to emphasise the importance of security practices in the workplace. This approach not only underscores the relevance of security but also transforms the abstract concept of security threats into personally relevant considerations for employees.
4. We utilised a random allocation process for rooms, training times, and trainers across different groups. This randomisation was designed to account for unobserved factors at the trainer, time, and location levels, reducing biases related to participant fatigue/alertness, trainer motivation, and variations in training facilities. To establish a standardised and comparable experimental environment as much as possible, we maintained consistency in the duration of training sessions. By aligning them within a similar range, we aimed to control for variations that could potentially introduce bias into our results.
Additional information
Notes on contributors
Ilja Nastjuk
Ilja Nastjuk ([email protected]) is a Postdoctoral Researcher at the University of Goettingen, Germany. He earned a Ph.D. in Information Systems (IS) from the University of Goettingen in 2017 and a Ph.D. in Accounting and Corporate Governance from Macquarie University in 2018. His research interests span the influence of technology on stress and human behavior, the adoption of self-driving cars, and information security management. His work has been published in numerous peer-reviewed journals and conference proceedings, such as European Journal of Information Systems, Technological Forecasting and Social Change, Electronic Markets, Computers & Security, Transportation Research Part D: Transport and Environment, Transportation Research Part F: Traffic Psychology, and International Conference on Information Systems. In addition, Ilja has served as Guest Editor of Electronic Markets.
Florian Rampold
Florian Rampold ([email protected]) is a Ph.D. Student of Information Systems (IS) at the Research Group of Information Security and Compliance at the University of Goettingen, Goettingen, Germany. Florian holds an M.S. in IS from the University of Goettingen. His research has been presented at leading IS conferences such as the International Conference on Information Systems, European Conference on Information Systems, and the Hawaii International Conference on System Sciences.
Simon Trang
Simon Trang ([email protected]) holds the Chair of Information Systems and Sustainability at the Faculty of Business and Economics at the University of Paderborn, Paderborn, Germany. He received his Ph.D. in Management Science, specializing in IS, from the University of Goettingen. His work focuses on information security management, privacy, and sustainable IS. His research has been published or is forthcoming in outlets such as Information Systems Research, Journal of the Association for Information Systems, European Journal of Information Systems, and Journal of Information Technology. Simon serves as Associate Editor for Information & Management.
Jose Benitez
Jose Benitez is a Professor of Information Systems (IS), Department Chair of Information Systems and Business Analytics, and the Bridgestone Endowed Chair in International Business at the Ambassador Crawford College of Business and Entrepreneurship, Kent State University, Kent, Ohio, USA. His research interests cover the impact of digital technologies and digitalization on organizations and individuals and the development of theory and quantitative research methods in IS research. His research has been published in about 55 papers in leading journals including MIS Quarterly, Information Systems Research, Journal of Operations Management, Journal of Management Information Systems, Journal of the Association for Information Systems, European Journal of Information Systems, Journal of Information Technology, Information & Management, Decision Support Systems, Decision Sciences, and Journal of Business Research. Jose was recognized as an Association for Information Systems (AIS) Distinguished Member Cum Laude in July 2021 and received the AIS Sandra Slaughter Service Award in December 2022. He currently serves as a Senior Editor of the European Journal of Information Systems, Information & Management, and Decision Support Systems and as an Associate Editor of the Journal of the Association for Information Systems. He also serves as an Editorial Review Board member for Information Systems Research. In addition, Jose has served as a Guest Editor of Decision Sciences. His teaching interests and instructional expertise cover managing digital business transformation, digital innovation, the business value of digital technologies, IT management, IT strategy, theory development, and quantitative research methods in IS research at graduate and undergraduate levels. Jose is a passionate speaker who enjoys working with students, colleagues, and executives to positively impact the business world and society. He has also provided consulting services and worked on IT development and digital transformation projects with many leading companies worldwide. Jose can be contacted at [email protected].