Guardians at the Gate: The Influence of Senior Management on Cybersecurity Culture and Awareness Training : A Qualitative Multiple Case Study

Karim, Adam, Törnqvist, Alexandra

January 2023

Background: Organisations are left vulnerable and susceptible to cyber-attacks due to the digitisation of information and dependency on information and communication technologies. As a result, the critical need for organisations to hinder, protect and preserve their cyberspace from multiple threats is emphasised. Due to human error being accountable for most electronic data breaches, a resilient cybersecurity culture is desired.  To minimise cybersecurity threats, a human-inclusive strategy must be implemented in the culture and the inclusion and engagement of strong leadership within senior management.   Purpose: The purpose of this study is to explore senior management’s role in cybersecurity culture and particularly, its influence on awareness training.   Method: The research is based on an interpretivist paradigm and adheres to abductive reasoning. Through the usage of semi-structured interviews and the utilisation of non-probability sampling, qualitative data was produced, and a multiple case study was conducted.   Conclusion: Senior management influences the practical implications in the organisation, such as training, as well as the assumptions and beliefs of its employees. Senior management influences the engagement, involvement, and responsibility of protecting and safeguarding the organisation's assets, and how this is reciprocated to the whole organisation. Furthermore, senior management addresses and manages the priority of cybersecurity in the organisation. Thus, employee behaviour and attitude are greatly impacted by senior management engagement and presence, showcasing a positive correlation between senior management influence and employee behaviour and beliefs.

Cybersecurity

Cybersecuirty Culture

Senior Management

Awareness Training

Business Administration

Företagsekonomi

Treinadores de sentido: notas etnográficas sobre atividades motivacionais modernas / Trainers of meaning: ethnographic notes on modern motivational activities

Oliveira Junior, Jorge Gonçalves de

07 December 2015

O objeto desta dissertação são as atividades motivacionais modernas, ou seja, atividades voltadas para a criação de um estímulo em indivíduos que, supõe-se, necessitam de um sentido para seu trabalho e/ou sua vida. Tais atividades demandam interrupções da rotina e uma reflexão sobre a própria trajetória do praticante, e há uma oferta variada de produtos com esse fim, oferecidos por empresas especializadas. Neste trabalho nos concentramos em analisar palestras motivacionais, um grupo de encontro de fim de semana chamado Leader Training e o coaching associado à programação neurolinguística (PNL). Buscamos realizar observações participantes, entrevistas e análises de material de divulgação, livros, vídeos e sítios da internet a fim de conseguir apreender essas práticas em suas diversas facetas. Nossa análise e interpretação buscou compreender os mecanismos e estratégias dessas atividades para construção de sua eficácia, por meio de narrativas e performances que buscam realinhar as intenções dos participantes com uma noção convencional de sucesso e felicidade, observando as diferentes maneiras como o discurso científico é acionado e o religioso é sutilmente sugerido na elaboração de seus conteúdos. Operando comparações das descrições de campo com a teoria antropológica, em intersecção com uma análise baseada nos pressupostos dos science studies na sua forma de conceber o moderno em suas simetrias com o não-moderno, acreditamos ter contribuído com a ampliação do olhar sobre o objeto. / The object of this dissertation are the \"modern motivational activities\", i.e. activities aimed at creating an incentive in individuals who, one assumes, require a meaning to their work and/or their life. Such activities require routine interruptions and a reflection on the participants own trajectory, and there is a wide range of products for this purpose, offered by specialized companies. In this dissertation, we focus on analyzing motivational talks, a weekend group meeting called Leader Training and coaching associated with Neuro-Linguistic Programming (NLP). We seek to conduct participant observation, interviews and analysis of promotional materials, books, videos and websites in order to be able to understand these practices in its various facets. Our analysis and interpretation sought to understand the mechanisms and strategies of these activities to build their effectiveness through narratives and performances, that seek to realign the intentions of the participants with a conventional notion of success and happiness, noticing the different ways in which scientific discourse is triggered and the religious is subtly suggested in the development of its contents. We believe that we have contributed to broaden the view on the subject, operating comparisons of field descriptions with the anthropological theory, in intersection with an analysis based on the assumptions of Science Studies in their way of conceiving the modern in its symmetries with the non-modern.

Atividades motivacionais

Coaching and NLP

Coaching e PNL

Gurus

Gurus

Large group awareness training

Large group awareness training

Motivational activities

Ontologias da modernidade

Ontology of modernity

Treinadores de sentido: notas etnográficas sobre atividades motivacionais modernas / Trainers of meaning: ethnographic notes on modern motivational activities

Jorge Gonçalves de Oliveira Junior

07 December 2015

O objeto desta dissertação são as atividades motivacionais modernas, ou seja, atividades voltadas para a criação de um estímulo em indivíduos que, supõe-se, necessitam de um sentido para seu trabalho e/ou sua vida. Tais atividades demandam interrupções da rotina e uma reflexão sobre a própria trajetória do praticante, e há uma oferta variada de produtos com esse fim, oferecidos por empresas especializadas. Neste trabalho nos concentramos em analisar palestras motivacionais, um grupo de encontro de fim de semana chamado Leader Training e o coaching associado à programação neurolinguística (PNL). Buscamos realizar observações participantes, entrevistas e análises de material de divulgação, livros, vídeos e sítios da internet a fim de conseguir apreender essas práticas em suas diversas facetas. Nossa análise e interpretação buscou compreender os mecanismos e estratégias dessas atividades para construção de sua eficácia, por meio de narrativas e performances que buscam realinhar as intenções dos participantes com uma noção convencional de sucesso e felicidade, observando as diferentes maneiras como o discurso científico é acionado e o religioso é sutilmente sugerido na elaboração de seus conteúdos. Operando comparações das descrições de campo com a teoria antropológica, em intersecção com uma análise baseada nos pressupostos dos science studies na sua forma de conceber o moderno em suas simetrias com o não-moderno, acreditamos ter contribuído com a ampliação do olhar sobre o objeto. / The object of this dissertation are the \"modern motivational activities\", i.e. activities aimed at creating an incentive in individuals who, one assumes, require a meaning to their work and/or their life. Such activities require routine interruptions and a reflection on the participants own trajectory, and there is a wide range of products for this purpose, offered by specialized companies. In this dissertation, we focus on analyzing motivational talks, a weekend group meeting called Leader Training and coaching associated with Neuro-Linguistic Programming (NLP). We seek to conduct participant observation, interviews and analysis of promotional materials, books, videos and websites in order to be able to understand these practices in its various facets. Our analysis and interpretation sought to understand the mechanisms and strategies of these activities to build their effectiveness through narratives and performances, that seek to realign the intentions of the participants with a conventional notion of success and happiness, noticing the different ways in which scientific discourse is triggered and the religious is subtly suggested in the development of its contents. We believe that we have contributed to broaden the view on the subject, operating comparisons of field descriptions with the anthropological theory, in intersection with an analysis based on the assumptions of Science Studies in their way of conceiving the modern in its symmetries with the non-modern.

Atividades motivacionais

Coaching e PNL

Gurus

Large group awareness training

Ontologias da modernidade

Coaching and NLP

Gurus

Large group awareness training

Motivational activities

Ontology of modernity

THE SHAPING OF MANAGERS’ SECURITY OBJECTIVES THROUGH INFORMATION SECURITY AWARENESS TRAINING

Harris, Mark

25 June 2010

Information security research states that corporate security policy and information security training should be socio-technical in nature and that corporations should consider training as a primary method of protecting their information systems. However, information security policies and training are predominately technical in nature. In addition, managers creating security policies rely heavily on security guidelines, which are also technically oriented. This study created a series of information security training videos that were viewed by four groups of managers. One video discussed the socio-technical aspects of security, another discussed only the social aspects of security, the third detailed only the technical aspects of security, and the fourth was a control video unrelated to information security. Each group was shown the video, and after this viewing, each group’s values toward information security were ascertained and converted into security objectives following Keeney (1992)’s value-focused thinking approach. Each group’s list of security objectives were used as the input to Schmidt (1997)’s ranking Delphi methodology, which yielded a more concise and ranked list of security objectives. The results thus obtained, indicate that manager’s objectives towards information security are affected by the nature and scope of the information security training they receive. Information security policy based on each group’s value-based security objectives indicate that manager’s receiving socio-technical training would produce the strongest information security policy when analyzing the value-focused thinking list of security objectives. However, the quality of security policy decreases when analyzing the ranked Delphi list of security objectives, thus providing mixed results. The theoretical contribution of this research states that technically oriented information security training found in corporations today affects manager’s values and security objectives in a way that leads them to create and support technically oriented security policies, thus ignoring the social aspects of security. The practical contribution of this research states that managers should receive socio-technical information security training as a part of their regular job training, which would affect their values and lead to socio-technical information security policy based on the manager’s socio-technical security objectives. The methodological contribution of this research demonstrates the successful use of the value-focused thinking approach as the input to the ranking of the Delphi methodology.

Awareness Training

Security Policy

Information Systems

Delphi

Value-focused Thinking

Business

Management Information Systems

Phonemic awareness and learning to read : a longitudinal and quasi-experimental study

Olofsson, Åke

January 1985

Phonemic awareness is the ability to attend to the formal, phonetic or phonemic, aspects of spoken language. Skill in analysis of speech sounds and synthesis of phonetic segments into real words has often been found to correlate with success in reading acquisition. The nature of this relationship was investigated by postulating a causal model for the effect of phonemic awareness in kindergarten on reading and spelling skill in the first school years. The quantitative implications of this model were estimated with path-analysis in a kindergarten - grade 3 passive observational study. In order to experimentally test the effect of phonemic awareness a 8 week training program in kindergarten was evaluated using a quasi- experimental design in field settings. The effects of this program were evaluated in kindergarten, in grade 1 and in grade 2. Methodological problems in evaluation research were discussed. The results from the quasi- experimental study was further elucidated applying structural equation modeling with latent variables (LISREL). Clear effects of the training program were found on phonemic awareness tasks in grade 1 and on spelling in grade 2. More subtle effects were found on reading and spelling of simple words in grade 1. No effect was found on rapid silent word decoding. The LISREL analysis was interpreted in favour of a model with phonemic awareness effecting phonological processing which in turn is essential for the early reading development. The results were interpreted as supporting an interactive-compensatory limited capacity model of reading. Phonemic awareness helps the child to understand the alphabetical principle and ensures the development of an effective system for representing written language. Trained children find it easier to learn spelling-sound relations. / <p>Diss. (sammanfattning) Umeå : Univ., härtill 5 uppsatser.</p> / digitalisering@umu

Phonemic Awareness

Phonemic Awareness Training

Reading Acquisition

Causal Modeling

Reading Readiness

Metaphonology

An Analysis of the Impact of a Behavioral Style Awareness Training Program on Retail Sales Effectiveness of Commission Sales Personnel in a Major Department Store Chain in the Southwest

Gregg, Sharon F. (Sharon Fowler)

08 1900

The success of any retail institution depends upon many factors including personal selling effectiveness. Traditional sales training has focused primarily on the selling process with emphasis on how to close a sale. The idea of using behavioral style awareness training with salespeople has emerged only recently when behavioral training began to be recognized in the literature as a tool for sales training as well as for management training. The Social Style of Behavior concept developed by Dr. David Merrill was selected for use in this research study. Utilizing this concept, a behavioral style awareness training program was developed involving twenty hours of classroom training. Training methods used were lecture, role play, and videotaped materials with emphasis on behavioral identification and using versatility with applications to personal selling in a retail situation.

behavioral style awareness training

sales training

retail salespeople

Sales personnel, Training of.

Selling.

Information Security Training and Serious Games

Agrianidis, Anastasios

January 2021

The digital transformation of the 21st century has led to a series of new possibilities and challenges, where one major concern of many major organizations and enterprises is promoting Information Security Awareness and Training (ISAT) for their employees. This aspect of Information Security (IS) can promote cybersecurity in the work environment against threats related to the human factor. Apart from traditional methods as workshops and seminars, researchers study the effect of gamification on ISAT, by proposing customized digital games to train employees regardless their IT skills. This thesis is trying to propose what techniques and approaches can be considered to train people throughout a full threat progression by studying the features of previous efforts. For this purpose, a literature study based on the principles of a systematic literature review (SLR) is essential to gather the available data and review their characteristics. More specifically, the solutions of the researchers are analyzed against the seven steps of the Lockheed Martin Cyber Kill Chain (LM CKC), where each game is classified to one or more phases, according to the training they offer. Thus, some tools can provide a wide range of training, covering many aspects of the CKC, while others are targeting a specific IS topic. The results also suggest that popular attacks involving social engineering, phishing, password and anti-malware software are addressed by many games, mainly in the early stages of the CKC and are focus on trainees without professional IT background. On the other hand, in the last two phases of the CKC, the majority of categorized games involves countermeasures that IS specialists must launch to prevent the security breach. Therefore, this study offers insight on the characteristics of serious games, which can influence an ISAT program, tailored to the enterprise’s distinct IS issue(s) and the IT background of the trainees.

Information Security Awareness Training

Serious Games

Lockheed Martin Cyber Kill Chain

Computer Systems

Datorsystem

Information Systems

INFORMATION SECURITY AWARENESS TRAINING FOR END-USER : A Survey on the Perspective of Nordic Municipalities

Al Salek, Aous

January 2021

The reliance on information systems in daily operations in organizations made these systems and the security thereof a vital asset that must be protected. Traditionally, technical solutions were thought to be the critical factor in achieving security requirements. However, this has changed with research advancements into information security, suggesting that users are the root cause of the majority of information security incidents. It is widely accepted that an integral part of the methodology of securing information systems is end-user Information Security Awareness Train-ing (ISAT). The goal of ISAT is described to be a change in user behavior. As a result, research into the area has been steadily improving the ways ISAT is carried out. Yet, information security incidents are still on the rise with no indication of slowing down. Previous research has mainly examined users’ experience in relation to ISAT with very little focus on the organizational per-spective. In this study, the organizational perspective on the preferences and expectations of ISAT is examined by inviting all Nordic municipalities to participate in an online survey. The survey consisted of two parts; the first part focused on the current state of ISAT in Nordic municipalities. The second part examined the ideal design of ISAT according to participants. The results obtained from the survey revealed that the participating Nordic municipalities are well aware of recent developments in ISAT. Furthermore, their preferences and expectations of ISAT and what they consider an ideal design of ISAT conform to what is suggested in the literature—with some ex-ceptions. However, there seems to be a gap between knowing about recent developments and having a desired ideal design that conforms to the literature on one side, and actually applying these in production on the other side.

information security

information security awareness training

information systems

ISAT

user security training

Information Systems

Awareness and training: the influence on end-user' attitude towards information security policy compliance

Snyman, Mmabatho Charity

02 1900

Research accentuates that end-users‘ noncompliance with information security policy (ISP) is a key concern for government just as it is for the private sector. Although awareness and training programmes are important factors impacting employees‘ intentions to comply with an organisation‘s ISP, it can be argued that there is insufficient empirical evidence to support this assertion. To address this gap, this study seeks to expand research on ISP compliance by focusing on attitudes as targets of change. A research model based on the Theory of Planned Behaviour was proposed to illustrate the influence of ISP awareness training on end-users‘ attitudes towards complying with their organisation‘s ISP. Relevant hypotheses were developed to test the research conceptualisation. A survey and an experiment was undertaken to collect the data from a sample of 173 end-users of a single government organisation in one province. The data was captured and analysed using a Statistical Package for Social Sciences (SPSS). Furthermore, Structural Equation Modelling (SEM) was used to test whether the overall model appears to be a good fit to support the hypotheses. The reliability, validity, and model fit were found to be statistically significant, and three out of five research hypotheses were supported. Overall this study contributes to the existing body of knowledge by providing an understanding of the methods that can be used to encourage end-users‘ ISP compliance behaviour through an attitudinal shift, thereby targeting end-users‘ attitude as a means to improve information security policy compliance. Implications of the findings are further discussed in the paper. / Information Technology / M. Tech. (Information Technology)

Attitudes

Information security

Information security policy

Awareness training

Intentions to comply

Information security compliance

Self-efficacy

005.8

Computer security -- Government policy

Data protection -- Government policy

Computer networks -- Security measures

Compliance auditing

Information technology -- Management