How training affects information security compliance

1. Introduction

Information system security are mostly dependent on people’s behavior. The intentional

adverse actions on information system is responsible for breaching information security

compliance. Many critical information security activities cannot be solved automatically.

Therefore, the company needs to hire someone for taking care of the information system by

providing enough security training. In addition, the humans are most “weakest link” in the

information security chain (Schneier, 2000), so it is mandatory to train all the users correctly

regarding information security compliances. The goal of the training is to ensure that the users use

necessary policies and do not misuse of information security compliances. Unfortunately, when

the information security training is provided to the employees or a maintainer, there is always a

risk of leaking employer’s compliance.

Moreover, companies are actively implementing technology in the working process. Servers

replaced paper, databases replaced books, and all the important client data is stored online. The

issue of how to protect personal information from being stolen, how to keep certain data

confidential is arising now. One of the weakest points in information security are people including

employees and users: “Only amateurs attack machines; professionals target people” (Schneider,

2000). The problem of human factor in terms of information security is serious. Our group

umbrella question is the effect of training on employee compliance, if it could be a possible

solution to the existing nonconformity. A new understanding is emerging regarding information

systems security. People begin to realize that no matter how technologically advanced the security

products become, or how sound and widely accepted the devised security processes are, the

achieved security level will always depend on the compliance of people. Security compliance is

regarded as “The Next Frontier in Security Research” by some researchers in the field, and the

means to achieving security compliance constitute an active area of research. Some of the research

focus on monitoring and controlling, and utilization of motivation and fear or rewards and

punishments to achieve compliance, while others focus on training. In this essay, we focus on

training, and analyze the results of prior research to try to determine whether or not long-lasting

behavioral changes related to security compliance can be achieved by training.

Rest of the essay is organized as follows. The next section reviews prior scientific literature on

utilization of training for achieving security compliance. Next, we discuss about targeted training

and we go through benefits of Training. Then we have found factors of information security and

shortcomings of existing approaches. For last section, we have illustrated two existing frameworks.

2. Prior scientific literature Before the advent of the era of networks, data files and information were collected on papers.

Although this paper working is still widespread, with the emergence of networks and easy access

to the Internet, much of the information is being transmitted and processed through Internet.

Huge amount of information is stored and retrieved digitally and it is the disseminated and

replicated with a high accuracy and speed. In parallel to the local and global networks

developments, threats, theft and destruction of information have been increased in a way that

perhaps it has become one of the most important issues in information security and protection.

From the late-1980s, different standards for information security such as ISO/IEC, S7799

ISO/IEC 27001, ISO/IEC TR 13335, was made and lots of organizations prepared information

security for their self using implantation of information security management systems (ISMS) for

evaluating info systems. From 2000 until now, there has been many different researches regarding

information systems.

Figure 1 - Overall wareness level

(Maconachy, 2001) examines important dimension in information security. Paying attention

to main features of IS (Availability, Accuracy, Trustability), security actions (Technology,

policies, procedures and training and awareness) and information situations (transmission,

memories and processing situation) for achieving information security.

In another research made by Chang it was resulted that organization culture has direct influence

on the effectiveness of implementing information security culture (Ernest Chang, 2007).

Organizational elements including cooperativeness, innovativeness, consistency and effectiveness

were examined on the ISM principles (confidentiality, integrity, availability and accountability)

and it showed that all organization cultural aspects have positive effect on IS compliance.

(Kruger & Kearney, 2010) regarding assessing IS training using a Vocabulary test also

discussed that increasing IS awareness level of employees through vocabulary test is really

effective and useful and has positive result on employees’ behavior.

3. Targeted Training

The human factors lead to non-compliance organization implement information security

policies to ensure that security of their information resources would be safe but if employees and

users of information system are reluctant to follow information system security policies,

organization’s effort will be futile. In recent years, researchers are searching to find new ways to

increase security behaviors of stuffs and users in organizations so that it leads to promote the

understanding and acceptance of security concepts and policies in the organizations. It has been

proved that security cannot be achieved only through technologies. Organizations should consider

formal and informal mechanisms such as policies and procedures, organizational culture and

human’s role in security.

Today the success of information security seems to be largely dependent on the effective

behavior of those who work with it. Accurate and constructive behavior by users, administrators,

and other people can greatly improve the effectiveness of information security while inappropriate

and destructive behavior can basically hinder effectiveness. Organizations must ensure that staff

accepts security measures to protect data of organization and investments in their systems. Formal

training is usually carried out pre-deployment security measures to protect information systems.

The security events which has reported recently shows that recklessness of employees and non-

acceptance of security measures by stuff often cost millions of dollars for the organization.

People and human factors have features such as being stubborn, capricious, untidy and

complex. Dimension-treatment of information systems such as values, ways of thinking, beliefs

and norms that influence employee behavior, can be implemented by theory of reason action

(TRA) or theory of planned behavior (TPB) (Huang, 2009).

Figure ۲. Theory of reason action [16]

Both of these theories consider the relationship between thinking, intention and behavior and

both consider why people behave in such certain way (Huang, 2009).

Figure 3. Theory of planned behavior [16]

3.1. Barriers to compliance

In addition to the fact that employees should know why it is required to report security breaches

and understand how to do this, they should also be able to identify a security violation. Although

some of employees feel that reporting security breaches that has been done by a new employee is

unfair, they have to report. However, some believe that another chance should be given to new

employees and in this way, they will feel safe and tend to discuss about the security issue with

their colleague and find out how to properly treat. In addition, from my own experience, some

stuff violated meaning of security law and they did not want to report the violations which in their

mind were nonsense and inefficient. The performance of some of them were in such a way that

responsibility is not duty of them so as result they refuse to obey policies.

I remembered that some of the staffs were asking that “Why should not I use memory cards

when everyone was using it to send information?”. Another organizational factor that has been

added to these problems is Conflicting goals. Many employees work under a lot of pressure to

deliver products in short period of time that may be possible to conflict with the time-consuming

process. In this situation, employees should know that how prioritize security purposes by defining

their duties. Obstacles mentioned above have created greater gap between the expected behavior

and actual behavior.

4. Benefits from Training your Employees Having employees who are highly skilled is a huge benefit to any company or organization. A

company’s success may be directly attributed to its individual employees’ skills, and this fact

should not be overlooked. Many organizations spend too much money on third party consultants

to cover essential business tasks including vulnerability scans, developing policies specially

security policies, and other important things. Providing these services internally in the company

can be a great benefit, and the cost of training employees proves to be cheaper in the long time to

a great extent (Murison).

Of course, outside consultants are sometimes required, but having internal expertise can be

very valuable to the company. Identifying and preventing security weaknesses in systems, instead

of having an external auditor during a compliance audit, will save your organization from creating

a fix to meet minimal compliance requirements.

Although it is tempting to remove costs like training cost that are not directly providing a profit,

but investing more in training has shown to provide employees with a better sense of worth, and

consequently higher productivity (Murison).

5. How employees benefit from IS training

Nowadays technologies are being developed rapidly. Staying away from any attack and threats

is a desire for both employee and company, to keep their position on top of the trends.

For employee, developing their knowledge should not be hindered or stopped after leaving college.

and should be continued as training in companies. This fact benefits both employee’s career as

well as company itself.

As an example career security, increasing salary, and promotions can be all benefits of

knowing useful and new knowledge. Managers may be tempted to cut costs of training their

employees for saving budget and they may think that it is easy for employees to earn the knowledge

by them self and through cheaper stuffs, such as books or online training services. However, these

options are cheaper, but they do not have same benefits and may not be efficient. “real-world”

problems and issues cannot be always replicated through reading online resources and books

easily.

On the other hand, paying attention to IS for employees will be interesting if they know that

they can also protect their own data and information better and if they do not follow security

policies, they may spread their own data as well as the company critical information. An IT

expert’s role in their company usually also includes specialization. Having specialized skills helps

employees to in their own career as well as helping company to develop its security solutions

(Murison).

6. Impact of Information Security Factors

Information security factors can be managed three ways such as training factors, organizational

factors, and behavioral factors. (Waly, et al, 2012)

6.1. Training Factors

The training teaches skills that allows a trainer to perform a specific function. Training on

information security has more advantages for those who are dependent on the technology for

sharing information to execute their works. It could be argumentative that the information security

awareness and training program provided to the employees reduces security breach factors and

vulnerabilities in the organization. Whereas, the researchers shown that the security training and

awareness programs are useless, because most of the employees do not use the learned skills and

do not follow the appropriate behavior in work environment. (Waly, et al, 2012)

An awareness of the training factor suggests training the system administrators regarding

information security courses. The system administrator training task includes information

management controls, operational controls and technical controls. The system administrator needs

strong knowledge of training for dealing in these situations where he has given rights for using

employees or employer’s sensitive data. Misusing of any information by the system administrator

affects the information security compliances. (Guttman and Roback, 1995)

The training educates the employees and gives appropriate behavior to reduce security threats

and it improves information security management. The information security training and

awareness program have great influence on an organization cultures by encouraging security

practices. (Waly, et al, 2012)

6.2. Behavioral Factors

The employee’s cultural, individual, social and psychological factors are responsible for

affecting its behavior. Employee’s individual values and beliefs are considered crucial to the

organizational success. (Waly, et al, 2012) In a research shows that, several access control security

incidents were noticed on some enterprises network IT system. The incidents had great influence

on some client’s and partner confidential data leaking as well as it erased some records by using

another employees resources. Also, it makes publicly known all the employees salary by using

human resources files. The incidents happened because of misusing user access right, whereas the

original user gave computer password to the other user. This incident involves regarding poor

passwords system and leaving the employer online access computer logon screen unlocked during

lunch hours or after office hours and those employees were well trained. The negligence attitudes

of the trained employees affect the IS (information security) compliances (Eminagaoglu, et al,

2009). It needs to understand that security is depends on individuals who implement and interact

with it.

6.3. Organizational Factors

A safety factor can prevent incidents from failures such as policy failures, equipment failures

or human errors. Organizational factors have effectiveness of commitment, security support

management, security risks and threats. Sometimes people has lacking of enthusiasm or unwilling

to change the present works responsibilities has a factor on the organizations. The IS policy must

have to enforce in an organization to make the security effective. (Waly, et al, 2012)

However, IST (Information Security Training) is an excellent method for improving human

performance such as individual skill, knowledge and attitude. The focus and purpose of IST to

produce relevant information security skills but the method fails because of not using the exact

method have taught during the training time. Without any training the fresh users or employees do

not understand how to protect their system or information effectively. (Amankwa, et al, 2014)

In most case, the Information security fails for poor practicing. Since the most critical threat to

the information security is careless attitude of employees and they don’t comply with the set of IS

security policies so the awareness is more important in that case. By using IS security awareness,

we can reduce the factor of human errors and increasing the employees knowledge in this field.

6.4. Target Group

The information security training is needed for a top management team of a company or an

organization. The management team obliges information security training to the employees to

follow its rules and regulations. In addition, the training needs for managing information system.

If the employees has proper IS (information Security) training, they could handle the security

threats. Also the end users must have to know the IS training to protect themselves.

7. Shortcomings of existing approaches

There are many companies out there selling information systems security training as a product,

and they sometimes explicitly advertise it as a remedy for IS security compliance issues. Many of

us would like to know how some product actually works and whether its functionality is verified,

before we purchase it, especially if it is something new to us. Assume you are responsible from IS

compliance of an organization, and you want to buy one of these trainings. How would you

convince yourself and others that it works? How would you choose among the alternatives? If you

have already identified a set of non-compliant behaviors or employees sharing a common profile

are the subject of the compliance issue, how would you know which training program would

address the specific compliance problems you have in your organization better? Or which one

would be more effective when practiced in the particular settings of your organization? These

questions and others like them that may come to mind, can be answered definitely and without

being subjected to bias only if there exists scientific work backing up the claims of the training

program. But can existing studies on IS security training help us in answering these questions

about the training approaches they consider? Our claim is that they cannot help much due to

shortcomings of the adopted approaches. We will be talking about these shortcomings in the rest

of the section. For the rest of this section, when we use the word training, what the reader should

understand is IS security compliance training, in other words, training aimed at eliciting long-

lasting behavioral changes leading to increased security compliance. (Puhakainen & Siponen, 2010) presents a compilation of existing literature on training.

According to this paper, out of 23 studies, only four of them attempt to explain how the training

program works. Again out of these 23, only two of the studies present empirical evidence to show

if the program actually works in practice and to what degree. Similarly, in (Puhakainen 2006), an

analysis of 59 studies on IS awareness reveals that out of 59, only eight studies presented a

theoretical background and only a tiny fraction presented empirical evidence, conceptual analysis

being the dominant research approach. With these figures in mind, it is easy to see why it would be so hard to answer the

aforementioned questions. If a training program is not theory-based, we don't know how it works,

hence we lack the information we need to reason and figure out if it will work as well in settings

other than those in the study, or will it break. Moreover, training is not the only path to achieving

compliance. An additional benefit of using theoretically grounded approaches would be gaining a

better understanding of the interplays between different approaches to IS security compliance,

such as that between a punitive approach and a training approach. For example, Arvey and

Ivancevich (1980) found that punitive approaches are more effective when they are rationalized

by a cognitive approach. With theoretical understanding of approaches from both domains, it

would be possible to identify complementary methods that would have the best synergy with the

training program to be practiced. Lack of empirical evidence, on the other hand, means that we don't know if the program works

in practice at all. Furthermore, without a framework to measure effectiveness of training programs,

we are restricted to biased opinions or other criteria such as price and logistical conveniences for

our decisions when we need to make a choice between them. We believe these shortcomings

should be overcome by adapting approaches which enable quantitative comparisons of

effectiveness and are theory-based. In this section, we discussed the necessity of change concerning the approaches to training,

and the benefits this could bring to practical applications of training in terms of making it an even

more effective method of achieving IS security compliance, with measurable effects. We believe

the proposed changes would allow us to come up with a much stronger answer to the question of

how training affects IS security compliance, than what the prior studies on the subject can provide.

8. The theoretical frameworks (Kruger & Kearney, 2006) present a case study from Australia (Figure 3) and discovers that

amount of awareness in employees in Information Security is at medium level (65%, as shown in

figure 1).

Figure 4 - (a) Regional awareness map of Australia; (b) global awareness map [2].

They explain that if we wish our employees to comply, we need to prepare more training to

increase their awareness and knowledge, and see what data we should gather to consider in the

training, since more awareness leads to more compliance, and for that, we need to cover the Tree

structure of IS awareness shown in figure 5. On one hand, the structure should consider all different

aspects needed for training but it should not be too complicated to understand. On the other hand,

it should define that how important and necessary is each factor. They have assessed information

security awareness in international organizations and they have examined an international mining

company as a case study. They categorized IS awareness in 3 regions including Knowledge,

Attitude, and Behavior and they have discussed that compliance to policies, build and preserve

strong passwords, internet and email security, equipment’s safety in data transmission and

documentation should be covered in this regions.

Figure 5 - Tree structure of assessing IS awareness [2]

As it was mentioned in the shortcomings of existing approaches, organizations have to prepare

theoretical frameworks for training their employees to comply IS security. The first step is that the

IS security training provides a theoretical explanation so the trainers know the theory of how the

training program helps people to learn and also what principles are needed for user compliance

with IS security policies. As a second step, the underlying theory should provide guides for how

efficient training is to be constructed in real life. This is important for employees who need

guidance to implement efficient training.

The elaboration likelihood model (ELM) in (Puhakainen, 2010) became their focus as primary

underlying theory which explains how predictable, long-lasting behavioral changes can be

achieved through cognitive processing, for IS policy compliance training.

Instructional theories seem to be ideal applicant for a cognitive Information Security training.

As an example, an instructional design theory named UCIT provides a framework for designing

instruction that is custom-built for a specific learning topic (such as e-mail policy compliance)

regarding target group (such as a certain branch of company). Consequently, UCIT has been

chosen as second base theory for training Information security compliance (Puhakainen, 2010).

9. Learning theories

Here we will discuss two theoretical frameworks including Universal Constructive

Instructional Theory and Gagné’s learning theory.

9.1. Universal Constructive Instructional Theory

There are many different definitions of the learning process. The process could be described

as “the activity or process of gaining knowledge or skill by studying, practicing, being taught, or

experiencing something” (Merriam-webster.com, 2015); in terms of Information Security

learning, the skills would be to protect the network from the possible attacks and reassuring its

integrity and absence of vulnerabilities if possible. Instruction can be a way of obtaining the

necessary knowledge and developing the abilities aimed at information security awareness. The

Universal Constructive Instructional Theory (UCIT) opens a new perspective for the instructional

theories: it is not providing an opportunity for creating instructions, but it is helping to create a

personally adapted instructional theory.

UCIT is used as a core theory for information security instructional programs to be used in the

companies. UCIT consists of three main components (Puhakainen, 2006):

1. Functions: acquisition, storage and use of knowledge. They are applied both to the person

participating in the training and the learning environment (Schott&Driscoll, 1997).

2. Basic components:

• Learning environment - teaching methods, media, instructor

• Learning task

• Learner

• A particular environment where the learning is processed (Schott&Driscoll, 1997).

3. Situated possibilities/constraints systems (SPC systems)

The information obtained during the instruction depends on the opportunities and fixed

variables presented in a form of external and internal information (Schott&Driscoll, 1997).

There are different phases when applying the UCIT:

• Defining the scope of the training and clear objectives: information security compliance

• Defining the previous knowledge and skills of the future learners

• Deciding on the way to create instructions and the instructional process itself

9.2. Gagné’s learning theory

Gagné’s learning theory was developed in 1960-1980s. This theory states that there is a scale

of different ways of learning. It is an important to be aware of different types of information

comprehension because each of them requires a different approach when designing the

instructions. There are five main types of learning (Gredler, 1997):

· verbal information

· intellectual skills

· cognitive strategies

· motor skills

· attitudes

Knowing the classification helps developing different learning environments. The theory also

defines nine stages of instruction and learning processes (Gagne et al, 1992). They could be applied

to Information Security instructional procedure as follows:

1. Gaining attention (reception). Describing the current threats and how users could cause the

threats to the systems.

2. Informing learners of the objective (expectancy). State that by the end of the instructional

process the learners will be aware of the security threats and the risk of the human factor in the IS

will be minimized.

3. Stimulating recall of prior learning (retrieval). Interactive questions, workshops in order to

find out the prior educational background, showcase the lack of knowledge in particular fields.

4. Presenting the stimulus (selective perception). Defining the terms: vulnerability, malware,

social engineering.

5. Providing learning guidance (semantic encoding). Show, how to prevent the attack from

happening from the employee point of view: not only the employees of the IT department would

need to have the training or instruction obtained.

6. Eliciting performance (responding). Ask the learners to show an example of how an

employee could prevent the attack, find cases on IS issues or figure out the previous mistakes and

how they could be avoided.

7. Providing feedback (reinforcement). Revise the material, figure out the mistakes the

learners are making, preliminary assessment of the work done.

8. Assessing performance (retrieval). Providing scores for the tasks carried out during the

instructional period.

9. Enhancing retention and transfer (generalization). Developing future tasks for the learners

in order to help practice the knowledge gained during the instructional period

10. Conclusion The group essay analyzes how training influences the information security compliance. Firstly,

the overall awareness of information security was studied. It was found that almost 40% of the

overall population does not know about information security and enhancing their awareness leads

to more compliance. As following, the impacts of Information security factors were analyzed and

we concentrated on the effects and benefits of training. The effects of those factors were found

that could be worried and precautions for an organization involves in information security training.

Each section in this part attempted to provide a direct answer to our research question.

Moreover, it was found that there is a big gap in the empirical knowledge of the training effects as

well as theoretical foundation. Finally, two theoretical frameworks related to instructional process

were described. They highlighted the main steps in the teaching process that could raise awareness

and interest of the employees, in order to lately establish information security compliance.

We found that providing IS training brings lots of benefits for IS compliance, and even if it might

bring some financial cost to the company, in the long run benefits outweigh the costs. In addition,

we found that a well-trained system administrator abused the information security resources by

giving user access to the other user. Whereas, the awareness of the training factor suggests to train

the system administrator from top to bottom despite the abuse.

Our purpose in this essay was to uncover the effects of training on information security

compliance. In the final part, we concentrated on the issue of making training more effective. In

these sections, we looked for ways that can enable a stronger answer to the question. Our findings

are based on existing research. Our findings are summarized below:

• Training improves information security awareness and more awareness leads to more

compliance

• Training built on top of a theoretical foundation is more effective and makes it easier to

motivate employees for following IS policies and rules

References

[1] Maconachy, W. Victor, et al. "A model for information assurance: An integrated

approach." Proceedings of the 2001 IEEE Workshop on Information Assurance and

Security. Vol. 310. New York, USA, 2001.

[2] Kruger, Hennie A., and Wayne D. Kearney. "A prototype for assessing information

security awareness." computers & security 25, no. 4, pp. 289-296, 2006.

[3] ERNEST CHANG, Shuchih; LIN, Chin-Shien. Exploring organizational culture for

information security management. Industrial Management & Data Systems, pp. 438-458,

2007.

[4] KRUGER, Hennie; DREVIN, Lynette; STEYN, Tjaart. A vocabulary test to assess

information security awareness. Information Management & Computer Security, 2010,

18.5: 316-327.

[5] Choi, Namjoo, et al. "Knowing is doing: An empirical validation of the relationship

between managerial information security awareness and action." Information

Management & Computer Security 16.5, pp. 484-501, 2008.

[6] http://www.mcafee.com, Foundstone, [online].

[7] PUHAKAINEN, Petri; SIPONEN, Mikko. Improving employees' compliance through

information systems security training: an action research study. Mis Quarterly, pp. 757-

778, 2010.

[8] Merriam-webster.com, 'learning | the activity or process of gaining knowledge or skill by

studying, practicing, being taught, or experiencing something: the activity of someone

who learns', 2015. [Online]. Available: http://www.merriam-

webster.com/dictionary/learning. [Accessed: 17- Nov- 2015]

[9] P. Puhakainen.(2006) ‘A design theory for information security awareness’.

[10] Schott&Driscoll (1997) Universal Constructive Instructional Theory.

[11] Gredler, M. E. (1997). Learning and instruction: Theory into practice. Upper Saddle

River, NJ: Prentice-Hall, Inc.

[12] Gagne, R., Briggs, L. & Wager, W. (1992). Principles of Instructional Design (4th Ed.).

Fort Worth, TX: HBJ College Publishers.

[13] Arvey, R. D., and Ivancevich, J. M. (1980) “Punishment in Organizations: A Review,

Propositions, and Research Suggestions”. The Academy of Management Review (5:1),

pp. 123-132.

[14] K. Julisch. (2008) "Security compliance: the next frontier in security research". In

Proceedings of the 2008 workshop on New security paradigms (NSPW '08). ACM, New

York, NY, USA, 71-74. DOI=http://dx.doi.org/10.1145/1595676.1595687

[15] Huang, Man-Hui, and Kang Xie. "First-line and middle manager IT usage intention: A comparison of TAM, TRA and TPB." In Management and Service Science, 2009. MASS'09. International Conference on, pp. 1-4. IEEE, 2009.

[16]

[17] [18] [19] [20]

Ajzen, Icek. "The theory of planned behavior." Organizational behavior and human decision processes 50, no. 2 (1991): 179-211. Amankwa E., Loock M. & Kritzinger E. A Conceptual Analysis of Information Security Education, Information Security Training and Information Security Awareness Definitions.2014.At: http://ieeexplore.ieee.org.ezproxy.utu.fi:2048/stamp/stamp.jsp?tp=&arnumber=7038814 Eminagaoglu M., Ucar E., & Eren S. The Positive Outcomes of Information Security Awareness Training in Companies. 2009. At: http://ac.els-cdn.com/S1363412710000099/1-s2.0-S1363412710000099-main.pdf?_tid=60e3d906-92b7-11e5-8f56-00000aacb361&acdnat=1448375380_7d44df8d0a2b675389562d417a16e52e Waly N., Tassabehji R., & Kamala M. Improving Organization Security Management: The Impact of Training and Awareness. 2012. At: http://ieeexplore.ieee.org.ezproxy.utu.fi:2048/stamp/stamp.jsp?tp=&arnumber=6332323 Guttman Barbara & Robak Edward. An Introduction to Computer Security. 1995/2003. NIST Publications.