Skip to main content
Springer Nature Link
Log in

Applying PDCA to Security, Education, Training and Awareness Programs

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2022)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 658))

Abstract

Security standards help to create security policies, but they are often very descriptive, especially when it comes to security awareness. Information systems security awareness is vital to maintain a high level of security. SETA programs (Security Education, Training and Awareness) increase information systems security awareness and play an important role in finding the strategic balance between the prevention and response paradigms. By reviewing the literature, we identify guidelines for designing a SETA program following a PDCA (Plan Do Check Act) cycle.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Tsohou, A., Kokolakis, S., Karyda, M., Kiountouzis, E.: Investigating information security awareness: research and practice gaps. Inf. Secur. J. Glob. Perspect. 17, 207–227 (2008)

    Article  Google Scholar 

  2. Wilson, M., Hash, J.: Building an information technology security awareness and training program (2003)

    Google Scholar 

  3. Silic, M., Lowry, P.B.: Using design-science based gamification to improve organizational security training and compliance. J. Manag. Inf. Syst. 37, 129–161 (2020)

    Article  Google Scholar 

  4. ISO, ISO 27000 framework (2018)

    Google Scholar 

  5. Stine, K.M., Quill, K., Witte, G.A.: Framework for improving critical infrastructure cybersecurity, February 2014

    Google Scholar 

  6. Barlette, Y., Fomin, V.V.: The adoption of information security management standards: a literature review, pp. 69–90. IGI Global (2010)

    Google Scholar 

  7. von Solms, R., von Solms, B.: From policies to culture. Comput. Secur. 23, 275–279 (2004)

    Article  Google Scholar 

  8. Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manag. Comput. Secur. 8, 31–41 (2000)

    Article  Google Scholar 

  9. Dhillon, G., Backhouse, J.: Current directions in IS security research: towards socio-organizational perspectives. Inf. Syst. J. 11, 127–153 (2001)

    Article  Google Scholar 

  10. Kajzer, M., D’Arcy, J., Crowell, C.R., Striegel, A., Van Bruggen, D.: An exploratory investigation of message-person congruence in information security awareness campaigns. Comput. Secur. 43, 64–76 (2014)

    Article  Google Scholar 

  11. D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20, 79–98 (2009)

    Article  Google Scholar 

  12. Abraham, S.: Information security behavior: factors and research directions. In: AMCIS - 2011 Proceedings - All Submissions (2011)

    Google Scholar 

  13. Lowry, P.B., Moody, G.D.: Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Inf. Syst. J. 25, 433–463 (2015)

    Article  Google Scholar 

  14. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., Vance, A.: What levels of moral reasoning and values explain adherence to information security rules? An empirical study. Eur. J. Inf. Syst. 18, 126–139 (2009)

    Article  Google Scholar 

  15. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34, 523–548 (2010)

    Article  Google Scholar 

  16. Wright, C., Ayton, P.: Focusing on what might happen and how it could feel: can the anticipation of regret change students’ computing-related choices? Int. J. Hum.-Comput. Stud. 62, 759–783 (2005)

    Article  Google Scholar 

  17. Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W.: If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur. J. Inf. Syst. 18, 151–164 (2009)

    Article  Google Scholar 

  18. Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance (2007)

    Google Scholar 

  19. August, T., Tunca, T.I.: Network software security and user incentives. Manag. Sci. 52, 1703–1720 (2006)

    Article  Google Scholar 

  20. Goel, S., Williams, K.J., Huang, J., Warkentin, M.: Can financial incentives help with the struggle for security policy compliance? Inf. Manag. 58, 103447 (2021)

    Article  Google Scholar 

  21. West, R.: The psychology of security. Commun. ACM 51, 34–40 (2008)

    Article  Google Scholar 

  22. Mayer, P., Kunz, A., Volkamer, M.: Motivating users to consider recommendations on password management strategies. In: HAISA 2018 (2018)

    Google Scholar 

  23. Albayram, Y., Liu, J., Cangonj, S.: Comparing the effectiveness of text-based and video-based delivery in motivating users to adopt a password manager. In: European Symposium on Usable Security 2021, pp. 89–104. Association for Computing Machinery, New York (2021)

    Google Scholar 

  24. Bauer, S., Bernroider, E.W.N., Chudzikowski, K.: Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Comput. Secur. 68, 145–159 (2017)

    Article  Google Scholar 

  25. Thomson, M.E., von Solms, R.: Information security awareness: educating your users effectively. Inf. Manag. Comput. Secur. 6, 167–173 (1998)

    Article  Google Scholar 

  26. Das, S., Dabbish, L.A., Hong, J.I.: A typology of perceived triggers for end-user security and privacy behaviors (2019)

    Google Scholar 

  27. Khan, B., Alghathbar, K.S., Khan, M.K.: Information security awareness campaign: an alternate approach. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. Communications in Computer and Information Science, vol. 200, pp. 1–10. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23141-4_1

    Chapter  Google Scholar 

  28. Das, S., Kim, T.H.-J., Dabbish, L.A., Hong, J.I.: The effect of social influence on security sensitivity. In: 10th Symposium On Usable Privacy and Security (SOUPS 2014), Menlo (2014)

    Google Scholar 

  29. Kävrestad, J., Skärgård, M., Nohlberg, M.: Users perception of using CBMT for information security training. In: Human Aspects of Information Security & Assurance (HAISA 2019) International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019), Nicosia, Cyprus, 15–17 July 2019 (2019)

    Google Scholar 

  30. Kävrestad, J., Hagberg, A., Nohlberg, M., Rambusch, J., Roos, R., Furnell, S.: Evaluation of contextual and game-based training for phishing detection. Future Internet 14, 104 (2022)

    Article  Google Scholar 

  31. Kävrestad, J., Nohlberg, M.: ContextBased MicroTraining: a framework for information security training. In: Clarke, N., Furnell, S. (eds.) HAISA 2020. IFIP Advances in Information and Communication Technology, vol. 593, pp. 71–81. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57404-8_6

    Chapter  Google Scholar 

  32. Ophoff, J., Dietz, F.: Using gamification to improve information security behavior: a password strength experiment. In: Drevin, L., Theocharidou, M. (eds.) WISE 2019. IFIP Advances in Information and Communication Technology, vol. 557, pp. 157–169. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23451-5_12

    Chapter  Google Scholar 

  33. Baxter, R.J., Holderness, K., Wood, D.A.: Applying basic gamification techniques to IT compliance training: evidence from the lab and field. Rochester (2015)

    Google Scholar 

  34. Huang, D.-L., Patrick Rau, P.-L., Salvendy, G., Gao, F., Zhou, J.: Factors affecting perception of information security and their impacts on IT adoption and security practices. Int. J. Hum.-Comput. Stud. 69, 870–883 (2011)

    Article  Google Scholar 

  35. Johnston, A.C., Warkentin, M.: Fear appeals and information security behaviors: an empirical study. MIS Q. 34, 549–566 (2010)

    Article  Google Scholar 

  36. Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37, 1049–1092 (2014)

    Article  Google Scholar 

  37. Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49, 177–191 (2015)

    Article  Google Scholar 

  38. Drevin, L., Kruger, H., Bell, A.-M., Steyn, T.: A linguistic approach to information security awareness education in a healthcare environment. In: Bishop, M., Futcher, L., Miloslavskaya, N., Theocharidou, M. (eds.) Information Security Education for a Global Digital Society. FIP Advances in Information and Communication Technology, vol. 503, pp. 87–97. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58553-6_8

    Chapter  Google Scholar 

  39. Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25, 289–296 (2006)

    Article  Google Scholar 

  40. Kruger, H., Drevin, L., Steyn, T.: A vocabulary test to assess information security awareness. Inf. Manag. Comput. Secur. 18, 316–327 (2010)

    Article  Google Scholar 

  41. Mayer, P., Schwartz, C., Volkamer, M.: On the systematic development and evaluation of password security awareness-raising materials. In: Proceedings of the 34th Annual Computer Security Applications Conference (2018)

    Google Scholar 

  42. Baskerville, R., Spagnoletti, P., Kim, J.: Incident-centered information security: managing a strategic balance between prevention and response. Inf. Manag. 51, 138–151 (2014)

    Article  Google Scholar 

  43. Renaud, K., Flowerday, S.: Contemplating human-centred security & privacy research: suggesting future directions. J. Inf. Secur. Appl. 34, 76–81 (2017)

    Google Scholar 

  44. Witte, K.: Putting the fear back into fear appeals: the extended parallel process model. Commun. Monogr. 59, 329–349 (1992)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institut de Recherche en Informatique de Toulouse – IRIT, Université Toulouse III – Paul-Sabatier, 118 route de Narbonne, 31062, CEDEX 9 Toulouse, France

    Olivier de Casanove, Nicolas Leleu & Florence Sèdes

Authors
  1. Olivier de Casanove
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicolas Leleu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Florence Sèdes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Olivier de Casanove .

Editor information

Editors and Affiliations

  1. University of Plymouth, Plymouth, UK

    Nathan Clarke

  2. University of Nottingham, Nottingham, UK

    Steven Furnell

Rights and permissions

Reprints and permissions

Copyright information

© 2022 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

de Casanove, O., Leleu, N., Sèdes, F. (2022). Applying PDCA to Security, Education, Training and Awareness Programs. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-12172-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-12171-5

  • Online ISBN: 978-3-031-12172-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships