Training for Improved Information Security Culture (TIISC)
Short description
The project "Information Security Culture in Practice" is led by FOI and has a total budget of 15 million SEK. Its goal is to investigate how the information security culture in organizations can be measured and improved. The project is carried out by researchers at FOI, the University of Gothenburg, and Örebro University. The subproject " Training for Improved Information Security Culture (TIISC)," which is one of five subprojects, is led by the Department of Psychology at the University of Gothenburg and focuses on testing to what extent it is possible to improve workgroups' information security culture. Through a longitudinal randomized controlled trial, it examined whether the combination of managerial behavioral training for the managers and information-security training for the employees could improve information security culture.
Background
Security-related behaviors of individuals can pose a risk to their organization's information security. Cross-sectional studies show strong correlations between managers' leadership behaviors and employees' information security behaviors. However, there is a lack of research on how managers can be trained in information-security leadership. In addition, longitudinal randomized controlled trials in information security research are important because they can advance our understanding of how the information security culture of organizations can be improved. Experience from related areas, such as workplace safety, indicates that leadership training based on topographic and functional behavior analysis can improve managers' safety leadership. Behavior analysis-based leadership training involves identifying and addressing behavioral excesses and deficits, as well as the operant learning processes that maintain these excesses and deficits. The behavior analysis then forms the basis for goal setting, behavior training with performance feedback, and homework assignments. The learning mechanism in behavior-based leadership training is believed to consist of the instrumental and social reinforcement that gradually develops and maintains managers’ contextually functional behaviors.
Purpose
The aim of the project was to investigate to what extent it is possible to improve the information security culture in workgroups by combining employee training with managerial behavioral training for managers.
Method
For the project, we developed the training program "Training for Improved Information Security Culture" (TIISC), which was designed to develop the security-related behaviors of employees and managers. TIISC consists of information security training for employees and CBT-based managerial behavioral training for managers. The effects of TIISC on security-related behaviors of employees and managers were evaluated in a longitudinal randomized controlled trial. Data on employees' and managers' security-related behaviors were collected over a 16-month period through repeated employee surveys and continuous measurement of employees’ phishing susceptibility.
Results
The results show that the training program had a significant positive effect on most types of security-related behaviors in managers, but only on one type of security-related behavior in employees. Training programs that include behavior training for managers can achieve important improvements in organizations' information security culture, primarily by changing managers' security-related safety-leadership behaviors through behavior analysis, goal setting, behavior training with performance feedback, and homework assignments.
Researchers
Principal investigator
Martin Grill, Associate professor at the Department of Psychology
Members from other partners
Teodor Sommestad, Researcher at Swedish Defence Research Agency (FOI)
Henrik Karlzén, Researcher at Swedish Defence Research Agency (FOI)