Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

Bauer, Stefan, Bernroider, Edward, Chudzikowski, Katharina

17 April 2017

In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance.

A Study of the Effect of Information Security Policies on Information Security Breaches in Higher Education Institutions

Waddell, Stanie Adolphus

01 January 2013

Many articles within the literature point to the information security policy as one of the most important elements of an effective information security program. Even though this belief is continually referred to in many information security scholarly articles, very few research studies have been performed to corroborate this sentiment. Doherty and Fulford undertook two studies in 2003 and in 2005 respectively that sought to catalogue the impact of the information security policy on breaches at businesses in the United Kingdom. The pair went on to call for additional studies in differing industry segments. This dissertation built upon Doherty and Fulford (2005). It sought to add to the body of knowledge by determining the statistical significance of the information security policy on breaches within Higher education. This research was able to corroborate the findings from Doherty and Fulford's original research. There were no observed statistically significant relationships between information security policies and the frequency and severity of information security breaches. This study also made novel contributions to the body of knowledge that included the analysis of the statistical relationships between information security awareness programs and information security breaches. This effort also analyzed the statistical relationships between information security policy enforcement and breaches. The results of the analysis indicated no statistically significant relationships. Additionally, this research observed that while information security policies are heavily utilized by colleges and universities, security awareness training is not heavily employed by institutions of higher education. This research noted that many institutions reported not having consistent enforcement of information security policies. The data observed during this research implies there is room for additional coverage of formal information security awareness programs and potentially a call to attempt alternative training methods to achieve a reduction of the occurrences and impact of security breaches. There is room for greater adoption of consistent enforcement of policy at higher education organizations. The results of this dissertation suggest that the existence of policy, training, and enforcement activities in and of themselves are not enough to sufficiently curtail breaches. Additional studies should be performed to better understand how breaches can be reduced.

Awareness Programs

Colleges and Universities

Information Security

Information Security Policies

Policy Enforcement

Security Breaches

Computer Sciences

The Development of a Curriculum Guide for a Cancer Awareness Program for Older Adult Males

Nielsen, Shelley K. (Shelley Kay)

08 1900

This thesis focused on the development of a curriculum guide for a cancer awareness program for older men. The background of the problem -- a lack of programs for older men -- and the methods used in developing the guide are detailed in Chapter One. The second chapter consists of current information on disease prevention, aging and cancer with the emphasis on age-related changes and learning needs of older adult men. Chapter Three is the completed instructor's curriculum guide, and the final chapter includes recommendations on implementing the program as part of a community wellness program. The guide could also be used in senior centers, hospital educational programs, or adapted for use in staff inservices.

curriculum guides

cancer awareness programs

older men

community wellness programs

Cancer -- Study and teaching.

Older men -- Health and hygiene.