Motivating Information Security Awareness (ISA): An action research study.

摘要

The goal of the study was to identify and analyze specific environmental and social conditions that motivate middle management to advocate for Information Security Awareness (ISA), as well as to see if exposure to new information security knowledge would change their behavior. Using a mixed-method action research approach, a group of managers shared their awareness knowledge, advocacy behaviors, and challenges influencing their engagement in information security awareness advocacy. Post workshop feedback confirmed the effectiveness of the Action Research workshops in increasing ISA advocacy behaviors.;The action research workshops provided an opportunity for the participants to increase their security knowledge and recommend improvements in ISA advocacy practices. Thirty-eight (38) managers, divided among four workshops, participated in the study. Within the research activities, I presented the group with an awareness knowledge self-assessment survey, which captured the managers' view of their own information security knowledge, a sample information security awareness presentation brought context to the workshop, and a group discussion similar to a focus group provided the environment for discussions. During these activities, the managers expressed recommended changes they could drive to improve ISA advocacy. The workshop activities concluded with a closing discussion seeking commitment from the managers to act on the recommendations to improve ISA advocacy. These engagements of learning, and sharing their awareness, supported the main goal of leveraging action research. The findings support the Action Research workshops were an effective tool to increase the participants learning, to improve the practice of ISA advocacy, and to socialize the topic of information security.;The key lessons learned from the research contribute to the overall body of knowledge in the information security awareness discipline as follows. Key finding 1: the feedback on self-reflective levels of knowledge in information security awareness indicated managers are not sufficiently exposed to ISA content. Key finding 2: the self-reflection on advocacy behaviors projected positive attitudes and increased motivation to propose and take actions toward sharing ISA with employees and peers. Key finding 3: the main challenges discovered show that managers need more guidance, increased awareness knowledge, more organizational support, and the creation of a climate that supports advocacy behaviors. Key finding 4: the Action Research workshop contributed to participants learning, and to improvements to information security practices through participants' new behaviors to increase ISA advocacy. Participants reported they learned and used the ISA topics discussed during the workshop with their friends, family, peers, and employees after the workshop. The key thesis findings led to the following recommendations to help organizations foster a climate that supports ongoing advocacy behaviors. The recommended activities include: helping managers understand the importance of their engagement in advocacy behavior; obtaining resources that increase information security awareness and knowledge; planning and sharing activities that promote ISA sharing; and, communication the expectation for advocacy behaviors and the resources available to support sharing information security awareness.