"Generic and unusable"1: Understanding employee perceptions of cybersecurity training and measuring advice fatigue. Issue 128 (May 2023)
- Record Type:
- Journal Article
- Title:
- "Generic and unusable"1: Understanding employee perceptions of cybersecurity training and measuring advice fatigue. Issue 128 (May 2023)
- Main Title:
- "Generic and unusable"1: Understanding employee perceptions of cybersecurity training and measuring advice fatigue
- Authors:
- Reeves, Andrew
Calic, Dragana
Delfabbro, Paul - Abstract:
- Abstract: Security Education Training and Awareness (SETA) programs often fail to reduce organisational cyber risk, and this is linked to the way that employees perceive and appraise such programs. Rather than improving employee awareness, a poorly implemented SETA program may cause fatigue and result in risky cyber behaviours. This paper describes two studies aimed respectively at examining how SETA programs can lead to fatigue and development of a measure of SETA Advice-Related Cybersecurity Fatigue. In Study 1, a repertory grid technique was used to examine employee responses to a series of SETA videos. A total of 24 in-depth semi-structured interviews were conducted with individuals from a variety of industries. Key themes related to the content, style, and design, of cybersecurity training videos, but also employees' perceived characteristics of the intended audience and broader preconceptions of cybersecurity principles. In Study 2, we developed the Cybersecurity Advice Fatigue Scale (CAFS) Scale, a self-report measure of the fatigue which results from poor cybersecurity advice. A principal component analysis of CAFS scores for 457 working adults revealed a five-factor structure that broadly aligns with the themes identified by the qualitative analyses of Study 1. The results of both studies highlight that employees make inferences about the corporate motivation behind the SETA program, and this influences their receptivity to the content. From an applied perspective,Abstract: Security Education Training and Awareness (SETA) programs often fail to reduce organisational cyber risk, and this is linked to the way that employees perceive and appraise such programs. Rather than improving employee awareness, a poorly implemented SETA program may cause fatigue and result in risky cyber behaviours. This paper describes two studies aimed respectively at examining how SETA programs can lead to fatigue and development of a measure of SETA Advice-Related Cybersecurity Fatigue. In Study 1, a repertory grid technique was used to examine employee responses to a series of SETA videos. A total of 24 in-depth semi-structured interviews were conducted with individuals from a variety of industries. Key themes related to the content, style, and design, of cybersecurity training videos, but also employees' perceived characteristics of the intended audience and broader preconceptions of cybersecurity principles. In Study 2, we developed the Cybersecurity Advice Fatigue Scale (CAFS) Scale, a self-report measure of the fatigue which results from poor cybersecurity advice. A principal component analysis of CAFS scores for 457 working adults revealed a five-factor structure that broadly aligns with the themes identified by the qualitative analyses of Study 1. The results of both studies highlight that employees make inferences about the corporate motivation behind the SETA program, and this influences their receptivity to the content. From an applied perspective, cybersecurity practitioners can use the CAFS to identify features of their cybersecurity training programs which should be improved to enhance the program's efficacy. … (more)
- Is Part Of:
- Computers & security. Issue 128(2023)
- Journal:
- Computers & security
- Issue:
- Issue 128(2023)
- Issue Display:
- Volume 128, Issue 128 (2023)
- Year:
- 2023
- Volume:
- 128
- Issue:
- 128
- Issue Sort Value:
- 2023-0128-0128-0000
- Page Start:
- Page End:
- Publication Date:
- 2023-05
- Subjects:
- Cybersecurity -- Training -- Awareness -- Thematic analysis -- Personal construct -- Repertory grid -- Measure development -- Principle component analysis -- Fatigue -- Information security
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2023.103137 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 26802.xml