Publication Date
July 2023
Abstract
Prevalent security threats caused by human errors necessitate security education, training, and awareness (SETA) programs in organizations. Despite strong theoretical foundations in behavioral cybersecurity, field evidence on the effectiveness of SETA programs in mitigating actual threats is scarce. Specifically, with a broad range of cybersecurity knowledge crammed into in a single SETA session, it is unclear how effective different types of knowledge are in mitigating human errors in a longitudinal setting. his study investigates how knowledge gained through SETA programs affects human errors in cybersecurity to fill the longitudinal void. In a baseline experiment, we establish that SETA programs reduce phishing susceptibility by 50%, whereas the training intensity does not affect the rate. In a follow-up experiment, we find that SETA programs can increase employees’ cybersecurity knowledge by 12-17%, but the increment wears off within a month. Furthermore, technical-level knowledge decays faster than application-level knowledge. The longer “shelf-life” of application-level knowledge explains why training intensity makes no difference within a month. This study reveals a (relatively) more effective component of SETA programs and cast doubts on the overall effectiveness of SETA programs in the long run.