Can we sell security like soap?: a new approach to behaviour change

Many organisations run security awareness programmes with the aim of improving end user behaviours around information security. Yet behavioural research tells us that raising awareness will not necessarily lead to behaviour change. In this paper we examine the challenge of changing end user behaviour and put forward social marketing as a new paradigm. Social marketing is a proven framework for achieving behavioural change and has traditionally been used in health care interventions, although there is an increasing recognition that it could be successfully applied to a broader range of...

Don’t make excuses! Discouraging neutralization to reduce IT policy violation

Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the most powerful influencer of employee violations. Often, employees use rationalizations, termed neutralization techniques, to overcome the effects of deterrence when deciding whether or not to violate a policy. Therefore, neutralization techniques often are stronger than sanctions in predicting employee behavior. For this study, we examine...

End User Information Security Awareness Programs for Improving Information Security in Banking Organizations: Preliminary Results from an Exploratory Study

The purpose of this research is to analyze information security awareness (ISA) programs and the measurement of ISA behavior in banking organizations. The underlying paper summarizes the qualitative and exploratory part of our two-staged mixed methods research on the improvement of employee security behavior concerning IT operational risks. IT operational loss events are often caused by undesirable security behavior of employees concerning information technology. Organizations conduct ISA programs to build employees’ security awareness concerning information technology to prevent IT...