Chair or Co-Chair
Dr. Humayun Zafar
Committee Member or Co-Chair
Dr. Saurabh Gupta
Dr. Michael Whitman
THE MISUNDERSTOOD LINK BETWEEN TRAINING AND REAL-WORLD INFORMATION SECURITY OUTCOMES: SENSEMAKING
Henry G. Torres
Information security research literature indicates that insecure user behavior and failure to identify phishing is a leading cause of information security breaches triggering increased company costs in keeping information secure. The literature identifies that training employees in secure information systems behavior is a good way for organizations to keep information secure. This study outlines how using traditional methods and goals for information security training is a contributing factor to the continued rise of insecure employee behavior. The study posits that the traditional approach to information security training recommended in research literature is failing because the current focus on improving skills in procedural, policy, and compliance activities is not achieving secure information systems user behavior. The approach in this study is to confront the recommended failed training by using design science research (DSR) in developing an enhanced information security training and to specifically study the effects the training will enact on secure user behavior. Using DSR as a guide will strengthen the rigor of this study by enhancing the training via introducing the sensemaking process as the companion to information security training.
Sensemaking literature describes a process where one tries to make sense of events occurring within their environment and how one responds and reacts. This study posits that information security training with a sensemaking perspective focusing on how information systems users understand and interpret their current situations is a better approach than existing training. It also posits that how users take actions based on their interpretation of the situation is a better approach than existing training and can lend insights towards reducing employee error and negligence. The model investigates if using a training design with sensemaking elements included as input goals to match the sensemaking process towards knowledge transfer outcomes to emphasize and measure affective and metacognitive learning, has a positive impact on secure behavior when using information systems.
This study includes comparing the existing training to new sensemaking-based training. This research study empirically tested the model with 217 participants across various professions. The method was a two-group, pretest-posttest experimental design with random assignment of participants into an experimental group that went through the newly developed training and a control group that went through the standard security training. The results show that the new sensemaking-based training participants rated their experience higher than the participants taking the standard training. These results support the hypothesis that sensemaking-based information security training has a positive impact on participants' attitudes towards information security training. The results also show that the new sensemaking training does not support a positive impact on participants' threat appraisal but does support a positive impact on participants coping appraisal. The study demonstrates that there is an opportunity to improve information security user behavior through the use of this training.
Available for download on Sunday, April 30, 2028