Article Preview
TopIntroduction
Organizations spent over $73.7 billion protecting their computer systems in 2016 to avoid becoming victims of security breaches with predictions that number will increase to over $170 billion by 2020 (Freeman, 2017). Regardless of the vast amounts of money an organization spends, hackers circumvent security measures when users fail to exercise good security practices by responding to phishing emails that harvest personally identifiable information including passwords, visiting untrusted websites, downloading malicious software such as key loggers, or failing to create strong passwords or to apply updates, security patches, and virus protection software (Goel, Williams, & Dincelli, 2017; Thomas, 2004). For example, Anthem released over 83 million patient insurance records after five employees including the database administrator inadvertently responded to a phishing attack and provided their login credentials to the attackers (Huson & Hewitt, 2016; Ragan, 2015).
Many organizations allowed their employees to use personal phones (95%), tablets (67%), and laptops (93%) with slightly more than half of the devices being issued by the organization (51%, 30%, and 63% respectively) (M. A. Harris & Patten, 2015).While these organizations can enforce policies and security measures on the business owned devices, it is much harder to enforce these measures on the individual’s personal devices. Over a third (35%) of the cell phone users installed third party apps, 31% of cell phone users and 52% of laptop users stored authentication credentials in apps, and 13% of cell phone users and 5% of laptop users devices were lost or stolen.
Thus, organizations must improve their users’ security practices since these users are often the weakest link (Ayyagari, 2012; Bulgurcu, Cavusoglu, & Benbasat, 2010; Kirkpatrick, 2006; Lee, Lee, & Yoo, 2004; Mitnick, Simon, & Wozniak, 2006; Rezgui & Marks, 2008). Sometimes, attacks occur when users access their organizations’ systems, databases, and confidential documents using their home computers as opposed to their work computers (Furnell, Bryant, & Phippen, 2007). Organizations must ensure users comply with information security (IS) policies to minimize incidents since roughly 70% of employees know where to find their corporate security policies and only 64% read the policy (Da Veiga, 2016). Major threats to security include employees who do not comply with policies either because they are careless (Siponen, Mahmood, & Pahnila, 2014; Siponen, Pahnila, & Mahmood, 2007) or are unaware of how to securely access the organization’s systems. To improve users' compliance, IS managers have implemented IS awareness programs (Bauer, Bernroider, & Chudzikowski, 2017).
To prevent data breaches, organizations should increase the IS awareness of their employees. Subsequently, organizations attempt to increase the employee’s security awareness through training and educational courses (Dodge, Carver, & Ferguson, 2007; He, Ash, et al., 2019; Schultz, 2012) in the hopes of motivating these employees to safeguard their passwords as well as the organization’s computer systems and databases (Gage, 1996; Grau, 1984; Siponen, 2000). Several studies explored whether training and education influence security behavior rather than determine if it decrease the number of security incidents one experiences (Britt, 2008; Caldwell, 2016; Pollitt, 2005; Puhakainen & Siponen, 2010; Sherizen, 1984; Siponen, 2000).
However, security training and awareness programs only effect an employee's knowledge, behavior, and awareness for a short time (Hagen & Albrechtsen, 2009). White (2012, 2015) found those with more security education still reported experiencing security incidents.