Abstract
Purpose – The purpose of this paper is to measure and discuss the long-term effects of an e-learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.
Design/methodology/approach – The intervention study had two assessments of knowledge and attitudes among employees: one survey, one week before the intervention, and one survey eight months after the intervention. The population was divided into an intervention group and a control group, where the only separated the groups was participation in the intervention (i.e. the e-learning tool).
Findings – The study documents that the effects of the intervention on security awareness and behavior partly remains more than half a year after the intervention, but that the detailed knowledge on information security issues diminished during the period. The study also discusses how such courseware can contribute to long-term organizational learning compared with human interventions such as action research. Both human resource management and internal promotion are necessary input in the process to successfully educate and train employees in information security.
Research limitations/implications – One weakness of concern is the low response rate of 37 in the final analysis.
Practical implications – The study can document that short-time effects of software supported information security awareness on employees' knowledge, behaviour, and awareness diminish over time. It is thus important to maintain and continually perform information security awareness. More interventions studies, following the same principles as presented in this paper, of other user-directed measures is needed, to test and document the effects of different measures.
Originality/value – The paper is innovative in the area of information security research as it shows how an information security intervention can be measured.
Design/methodology/approach – The intervention study had two assessments of knowledge and attitudes among employees: one survey, one week before the intervention, and one survey eight months after the intervention. The population was divided into an intervention group and a control group, where the only separated the groups was participation in the intervention (i.e. the e-learning tool).
Findings – The study documents that the effects of the intervention on security awareness and behavior partly remains more than half a year after the intervention, but that the detailed knowledge on information security issues diminished during the period. The study also discusses how such courseware can contribute to long-term organizational learning compared with human interventions such as action research. Both human resource management and internal promotion are necessary input in the process to successfully educate and train employees in information security.
Research limitations/implications – One weakness of concern is the low response rate of 37 in the final analysis.
Practical implications – The study can document that short-time effects of software supported information security awareness on employees' knowledge, behaviour, and awareness diminish over time. It is thus important to maintain and continually perform information security awareness. More interventions studies, following the same principles as presented in this paper, of other user-directed measures is needed, to test and document the effects of different measures.
Originality/value – The paper is innovative in the area of information security research as it shows how an information security intervention can be measured.