As more and more governments and private companies rely on Internet and Communications Technology (ICT), maintaining information security is becoming of utmost importance. In the pursuit of preventing cyberattacks, many entities have long been embarking on up-to-date technologies and software programs. Governments and commercial organizations have started considering human factors such as user role, knowledge, learning style, and psychological factors in implementing information awareness programs.
Until recently, businesses have relied solely on the process and technologies to address cybersecurity threats without incorporating human factors into their plan. After continuous attacks, companies realized the importance of considering employees’ integration with the processes and technologies in effectively addressing security threats (Ki-Aries & Faily, 2017). Integrating workers into security prevention is through implementing information security awareness (ISA) programs. Such programs aim to improve workers’ perception of the cyber security risk as credible and teach how to prevent risks (Bada et al., 2019). Hence, ISA aims to teach people to be aware of the potential cyber threats and respond accordingly.
Impact of User Characteristics on Security Awareness and Learning
Prior Knowledge
Another significant human factor impacting individuals’ engagement with security awareness (IS) is their general knowledge about IS. Empirical evidence shows that “higher the user’s knowledge of fundamental IS applications, the more likely they are aware of securely-related issues” (Jaeger, 2018, p. 4705). On the contrary, those who lack knowledge in IS are reluctant to engage in cybersecurity awareness training (Jaeger, 2018). Hence, users’ prior knowledge in security awareness-related issues can substantially impact their awareness level and learning.
Learning Style and Information Acquisition
Although a user’s learning style could be one of the potential determinants of individuals’ security awareness level, the existing literature does not present any evidence regarding this relationship. Nevertheless, empirical evidence proves that the availability of resources and campaigns dedicated to ISA can significantly positively influence users’ comprehension and learning of cybersecurity (Jaeger, 2018, p. 4705). Scholars have also emphasized the effectiveness of diversified and customized methods of teaching by introducing game-based, text-based, video-based methods to improve employees’ security awareness and behavior (Bauer & Bernroider, 2017). Moreover, utilizing other channels, such as sending reminders about the security risks and threats to users, is also said to impact the ISA positively (Bauer & Bernroider, 2017). Hence, employees are more likely to learn and engage with information security when provided with resources to do so.
Perception of Security
One of the significant human factors that influence ISA is the individuals’ perception of security. Bada et al. (2019) have found that employees often treated awareness programs as “tick-box exercises” without engaging in genuine concern (as cited in Ki-Aries & Faily, 2017, p. 664). Even though IS goals were identified, from a cultural perspective, individuals did not perceive security threats as credible and hence, “did not feel a need to browse internal security guidance” (Maqousi et al. 2013 as cited in Ki-Aries & Daily, 2017, p. 664). In addition, recognition and appreciation of those who engage in IS are essential since it encourages positive behavior towards IS (Dominguez et al. 2010 as cited in Ki-Aries & Daily, 2017). Meanwhile, Bauer and Bernroider (2017) emphasized that social norms, which is defined as “employee’s perception of an acceptable or permissible ISP-compliant behavior within their organization,” had a positive effect on the employee compliance with information security rules (p. 50). Hence, individuals’ perceptions of information leakage and security awareness play a significant role in the success of ISA programs.
Psychological Characteristics
Another predominant factor emphasized in the existing scholarship on security awareness is the user’s psychological and character traits. Namely, Parsons et al. (2017) has found that individuals with personality traits such as conscientiousness and agreeableness have demonstrated higher scores on the Human Aspects of Information Security Questionnaire (HAIS-Q). More agreeable individuals are concerned more about what other people think about them; hence, they are more likely to be cautious with their security behavior (Shrosphire et al., 2015, as cited in McCormac et al., 2017). On the contrary, individuals who are more impulsive, with a higher propensity to take risks, tend to score higher on ISA (McCormac et al., 2017). This finding is also supported by Hadlington (2017), who found highly impulsive individuals often with little concern for their actions, hence, violating cybersecurity rules. The author also found that users with interned addictiveness were more likely to demonstrate risky security behavior (Hadlington, 2017). Thus, although some scholars disagree on the nature of the relationship, many agree that personality traits are significant factors that might influence the ISA.
Personal Norms
The existing literature also emphasizes the importance of employees’ personal norms on the increased intention to comply with information security awareness programs. Specifically, Bauer and Bernroider (2017) have found that users often apply neutralization techniques, which are “justifications, which individuals invoke to convince themselves, and others, that their deviant behaviour is justifiable or excusable” (p. 50). This concept includes techniques such as “condemnation of the condemners,” “defense of necessity,” “denial of injury,” “denial of responsibility,” with the former two techniques being the most important ones (Bauer & Bernroider, 2017, p. 58). In other words, by applying such techniques, employees often did not comply with the proper information security behavior.
Additional Factors
While the abovementioned factors primarily relate to the human factors that might influence security awareness and learning, the existing literature explored several additional factors ranging from demographic to technological aspects. Some scholars have found that women and younger people (18-25) are more susceptible to security breaches than men (Sheng et al., 2010 as cited in McCormac et al., 2017). Bauer and Bernroider (2017) have emphasized technological factors such as reminders and security warning messages to affect ISA positively. Therefore, although human factors are the most significant factors, organizations should also consider other factors.
References
Bada, M., Sasse, M.A. & Nurse, J.R.C. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?International Conference on Cyber Security for Sustainable Society, 2015.
Bauer, S., & Bernroider, E. W. N. (2017). From information security awareness to reasoned compliant action.ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 48(3), 44–68.
Hadlington, L. (2017). Human factors in cybersecurity; examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, 3(7), 2–18.
Jaeger, L. (2018). Information security awareness: Literature review and integrative framework.Proceedings of the 51st Hawaii International Conference on System Sciences, 4703–4712.
Ki-Aries, D., & Faily, S. (2017). Persona-centred information security awareness. Computers & Security, 70, 663–674.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017). Individual differences and information security awareness. Computers in Human Behavior, 69, 151–156.
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017). The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies.Computers & Security, 66, 40–51.