How training affects information security compliance

1. Introduction
Information system security are mostly dependent on peoples behavior. The intentional
adverse actions on information system is responsible for breaching information security
compliance. Many critical information security activities cannot be solved automatically.
Therefore, the company needs to hire someone for taking care of the information system by
providing enough security training. In addition, the humans are most weakest link in the
information security chain (Schneier, 2000), so it is mandatory to train all the users correctly
regarding information security compliances. The goal of the training is to ensure that the users use
necessary policies and do not misuse of information security compliances. Unfortunately, when
the information security training is provided to the employees or a maintainer, there is always a
risk of leaking employers compliance.
Moreover, companies are actively implementing technology in the working process. Servers
replaced paper, databases replaced books, and all the important client data is stored online. The
issue of how to protect personal information from being stolen, how to keep certain data
confidential is arising now. One of the weakest points in information security are people including
employees and users: Only amateurs attack machines; professionals target people (Schneider,
2000). The problem of human factor in terms of information security is serious. Our group
umbrella question is the effect of training on employee compliance, if it could be a possible
solution to the existing nonconformity. A new understanding is emerging regarding information
systems security. People begin to realize that no matter how technologically advanced the security
products become, or how sound and widely accepted the devised security processes are, the
achieved security level will always depend on the compliance of people. Security compliance is
regarded as The Next Frontier in Security Research by some researchers in the field, and the

means to achieving security compliance constitute an active area of research. Some of the research
focus on monitoring and controlling, and utilization of motivation and fear or rewards and
punishments to achieve compliance, while others focus on training. In this essay, we focus on
training, and analyze the results of prior research to try to determine whether or not long-lasting
behavioral changes related to security compliance can be achieved by training.
Rest of the essay is organized as follows. The next section reviews prior scientific literature on
utilization of training for achieving security compliance. Next, we discuss about targeted training
and we go through benefits of Training. Then we have found factors of information security and
shortcomings of existing approaches. For last section, we have illustrated two existing frameworks.

2. Prior scientific literature

Before the advent of the era of networks, data files and information were collected on papers.
Although this paper working is still widespread, with the emergence of networks and easy access
to the Internet, much of the information is being transmitted and processed through Internet.
Huge amount of information is stored and retrieved digitally and it is the disseminated and
replicated with a high accuracy and speed. In parallel to the local and global networks
developments, threats, theft and destruction of information have been increased in a way that
perhaps it has become one of the most important issues in information security and protection.
From the late-1980s, different standards for information security such as ISO/IEC, S7799
ISO/IEC 27001, ISO/IEC TR 13335, was made and lots of organizations prepared information
security for their self using implantation of information security management systems (ISMS) for
evaluating info systems. From 2000 until now, there has been many different researches regarding
information systems.

Figure 1 - Overall wareness level

(Maconachy, 2001) examines important dimension in information security. Paying attention

to main features of IS (Availability, Accuracy, Trustability), security actions (Technology,
policies, procedures and training and awareness) and information situations (transmission,
memories and processing situation) for achieving information security.
In another research made by Chang it was resulted that organization culture has direct influence
on the effectiveness of implementing information security culture (Ernest Chang, 2007).
Organizational elements including cooperativeness, innovativeness, consistency and effectiveness
were examined on the ISM principles (confidentiality, integrity, availability and accountability)
and it showed that all organization cultural aspects have positive effect on IS compliance.
(Kruger & Kearney, 2010) regarding assessing IS training using a Vocabulary test also
discussed that increasing IS awareness level of employees through vocabulary test is really
effective and useful and has positive result on employees behavior.

3. Targeted Training
The human factors lead to non-compliance organization implement information security
policies to ensure that security of their information resources would be safe but if employees and
users of information system are reluctant to follow information system security policies,
organizations effort will be futile. In recent years, researchers are searching to find new ways to
increase security behaviors of stuffs and users in organizations so that it leads to promote the
understanding and acceptance of security concepts and policies in the organizations. It has been
proved that security cannot be achieved only through technologies. Organizations should consider

formal and informal mechanisms such as policies and procedures, organizational culture and
humans role in security.
Today the success of information security seems to be largely dependent on the effective
behavior of those who work with it. Accurate and constructive behavior by users, administrators,
and other people can greatly improve the effectiveness of information security while inappropriate
and destructive behavior can basically hinder effectiveness. Organizations must ensure that staff
accepts security measures to protect data of organization and investments in their systems. Formal
training is usually carried out pre-deployment security measures to protect information systems.
The security events which has reported recently shows that recklessness of employees and nonacceptance of security measures by stuff often cost millions of dollars for the organization.
People and human factors have features such as being stubborn, capricious, untidy and
complex. Dimension-treatment of information systems such as values, ways of thinking, beliefs
and norms that influence employee behavior, can be implemented by theory of reason action
(TRA) or theory of planned behavior (TPB) (Huang, 2009).

Figure . Theory of reason action [16]

Both of these theories consider the relationship between thinking, intention and behavior and
both consider why people behave in such certain way (Huang, 2009).

Figure 3. Theory of planned behavior [16]

3.1.

Barriers to compliance

In addition to the fact that employees should know why it is required to report security breaches
and understand how to do this, they should also be able to identify a security violation. Although
some of employees feel that reporting security breaches that has been done by a new employee is
unfair, they have to report. However, some believe that another chance should be given to new
employees and in this way, they will feel safe and tend to discuss about the security issue with
their colleague and find out how to properly treat. In addition, from my own experience, some
stuff violated meaning of security law and they did not want to report the violations which in their
mind were nonsense and inefficient. The performance of some of them were in such a way that
responsibility is not duty of them so as result they refuse to obey policies.
I remembered that some of the staffs were asking that Why should not I use memory cards
when everyone was using it to send information?. Another organizational factor that has been
added to these problems is Conflicting goals. Many employees work under a lot of pressure to
deliver products in short period of time that may be possible to conflict with the time-consuming
process. In this situation, employees should know that how prioritize security purposes by defining

their duties. Obstacles mentioned above have created greater gap between the expected behavior
and actual behavior.

4. Benefits from Training your Employees

Having employees who are highly skilled is a huge benefit to any company or organization. A
companys success may be directly attributed to its individual employees skills, and this fact
should not be overlooked. Many organizations spend too much money on third party consultants
to cover essential business tasks including vulnerability scans, developing policies specially
security policies, and other important things. Providing these services internally in the company
can be a great benefit, and the cost of training employees proves to be cheaper in the long time to
a great extent (Murison).
Of course, outside consultants are sometimes required, but having internal expertise can be
very valuable to the company. Identifying and preventing security weaknesses in systems, instead
of having an external auditor during a compliance audit, will save your organization from creating
a fix to meet minimal compliance requirements.
Although it is tempting to remove costs like training cost that are not directly providing a profit,
but investing more in training has shown to provide employees with a better sense of worth, and
consequently higher productivity (Murison).

5. How employees benefit from IS training

Nowadays technologies are being developed rapidly. Staying away from any attack and threats
is a desire for both employee and company, to keep their position on top of the trends.
For employee, developing their knowledge should not be hindered or stopped after leaving college.
and should be continued as training in companies. This fact benefits both employees career as
well as company itself.
As an example career security, increasing salary, and promotions can be all benefits of
knowing useful and new knowledge. Managers may be tempted to cut costs of training their
employees for saving budget and they may think that it is easy for employees to earn the knowledge

by them self and through cheaper stuffs, such as books or online training services. However, these
options are cheaper, but they do not have same benefits and may not be efficient. real-world
problems and issues cannot be always replicated through reading online resources and books
easily.
On the other hand, paying attention to IS for employees will be interesting if they know that
they can also protect their own data and information better and if they do not follow security
policies, they may spread their own data as well as the company critical information. An IT
experts role in their company usually also includes specialization. Having specialized skills helps
employees to in their own career as well as helping company to develop its security solutions
(Murison).

6. Impact of Information Security Factors

Information security factors can be managed three ways such as training factors, organizational
factors, and behavioral factors. (Waly, et al, 2012)

6.1.

Training Factors

The training teaches skills that allows a trainer to perform a specific function. Training on
information security has more advantages for those who are dependent on the technology for
sharing information to execute their works. It could be argumentative that the information security
awareness and training program provided to the employees reduces security breach factors and
vulnerabilities in the organization. Whereas, the researchers shown that the security training and
awareness programs are useless, because most of the employees do not use the learned skills and
do not follow the appropriate behavior in work environment. (Waly, et al, 2012)
An awareness of the training factor suggests training the system administrators regarding
information security courses. The system administrator training task includes information
management controls, operational controls and technical controls. The system administrator needs
strong knowledge of training for dealing in these situations where he has given rights for using
employees or employers sensitive data. Misusing of any information by the system administrator
affects the information security compliances. (Guttman and Roback, 1995)

The training educates the employees and gives appropriate behavior to reduce security threats
and it improves information security management. The information security training and
awareness program have great influence on an organization cultures by encouraging security
practices. (Waly, et al, 2012)

6.2.

Behavioral Factors

The employees cultural, individual, social and psychological factors are responsible for
affecting its behavior. Employees individual values and beliefs are considered crucial to the
organizational success. (Waly, et al, 2012) In a research shows that, several access control security
incidents were noticed on some enterprises network IT system. The incidents had great influence
on some clients and partner confidential data leaking as well as it erased some records by using
another employees resources. Also, it makes publicly known all the employees salary by using
human resources files. The incidents happened because of misusing user access right, whereas the
original user gave computer password to the other user. This incident involves regarding poor
passwords system and leaving the employer online access computer logon screen unlocked during
lunch hours or after office hours and those employees were well trained. The negligence attitudes
of the trained employees affect the IS (information security) compliances (Eminagaoglu, et al,
2009). It needs to understand that security is depends on individuals who implement and interact
with it.

6.3.

Organizational Factors

A safety factor can prevent incidents from failures such as policy failures, equipment failures
or human errors. Organizational factors have effectiveness of commitment, security support
management, security risks and threats. Sometimes people has lacking of enthusiasm or unwilling
to change the present works responsibilities has a factor on the organizations. The IS policy must
have to enforce in an organization to make the security effective. (Waly, et al, 2012)
However, IST (Information Security Training) is an excellent method for improving human
performance such as individual skill, knowledge and attitude. The focus and purpose of IST to
produce relevant information security skills but the method fails because of not using the exact
method have taught during the training time. Without any training the fresh users or employees do
not understand how to protect their system or information effectively. (Amankwa, et al, 2014)

In most case, the Information security fails for poor practicing. Since the most critical threat to
the information security is careless attitude of employees and they dont comply with the set of IS
security policies so the awareness is more important in that case. By using IS security awareness,
we can reduce the factor of human errors and increasing the employees knowledge in this field.

6.4.

Target Group

The information security training is needed for a top management team of a company or an
organization. The management team obliges information security training to the employees to
follow its rules and regulations. In addition, the training needs for managing information system.
If the employees has proper IS (information Security) training, they could handle the security
threats. Also the end users must have to know the IS training to protect themselves.

7. Shortcomings of existing approaches

There are many companies out there selling information systems security training as a product,
and they sometimes explicitly advertise it as a remedy for IS security compliance issues. Many of
us would like to know how some product actually works and whether its functionality is verified,
before we purchase it, especially if it is something new to us. Assume you are responsible from IS
compliance of an organization, and you want to buy one of these trainings. How would you
convince yourself and others that it works? How would you choose among the alternatives? If you
have already identified a set of non-compliant behaviors or employees sharing a common profile
are the subject of the compliance issue, how would you know which training program would
address the specific compliance problems you have in your organization better? Or which one
would be more effective when practiced in the particular settings of your organization? These
questions and others like them that may come to mind, can be answered definitely and without
being subjected to bias only if there exists scientific work backing up the claims of the training
program. But can existing studies on IS security training help us in answering these questions
about the training approaches they consider? Our claim is that they cannot help much due to
shortcomings of the adopted approaches. We will be talking about these shortcomings in the rest
of the section. For the rest of this section, when we use the word training, what the reader should

understand is IS security compliance training, in other words, training aimed at eliciting longlasting behavioral changes leading to increased security compliance.
(Puhakainen & Siponen, 2010) presents a compilation of existing literature on training.
According to this paper, out of 23 studies, only four of them attempt to explain how the training
program works. Again out of these 23, only two of the studies present empirical evidence to show
if the program actually works in practice and to what degree. Similarly, in (Puhakainen 2006), an
analysis of 59 studies on IS awareness reveals that out of 59, only eight studies presented a
theoretical background and only a tiny fraction presented empirical evidence, conceptual analysis
being the dominant research approach.
With these figures in mind, it is easy to see why it would be so hard to answer the
aforementioned questions. If a training program is not theory-based, we don't know how it works,
hence we lack the information we need to reason and figure out if it will work as well in settings
other than those in the study, or will it break. Moreover, training is not the only path to achieving
compliance. An additional benefit of using theoretically grounded approaches would be gaining a
better understanding of the interplays between different approaches to IS security compliance,
such as that between a punitive approach and a training approach. For example, Arvey and
Ivancevich (1980) found that punitive approaches are more effective when they are rationalized
by a cognitive approach. With theoretical understanding of approaches from both domains, it
would be possible to identify complementary methods that would have the best synergy with the
training program to be practiced.
Lack of empirical evidence, on the other hand, means that we don't know if the program works
in practice at all. Furthermore, without a framework to measure effectiveness of training programs,
we are restricted to biased opinions or other criteria such as price and logistical conveniences for
our decisions when we need to make a choice between them. We believe these shortcomings
should be overcome by adapting approaches which enable quantitative comparisons of
effectiveness and are theory-based.
In this section, we discussed the necessity of change concerning the approaches to training,
and the benefits this could bring to practical applications of training in terms of making it an even
more effective method of achieving IS security compliance, with measurable effects. We believe

the proposed changes would allow us to come up with a much stronger answer to the question of
how training affects IS security compliance, than what the prior studies on the subject can provide.

8. The theoretical frameworks

(Kruger & Kearney, 2006) present a case study from Australia (Figure 3) and discovers that
amount of awareness in employees in Information Security is at medium level (65%, as shown in
figure 1).

Figure 4 - (a) Regional awareness map of Australia; (b) global awareness map [2].

They explain that if we wish our employees to comply, we need to prepare more training to
increase their awareness and knowledge, and see what data we should gather to consider in the
training, since more awareness leads to more compliance, and for that, we need to cover the Tree
structure of IS awareness shown in figure 5. On one hand, the structure should consider all different
aspects needed for training but it should not be too complicated to understand. On the other hand,
it should define that how important and necessary is each factor. They have assessed information
security awareness in international organizations and they have examined an international mining
company as a case study. They categorized IS awareness in 3 regions including Knowledge,
Attitude, and Behavior and they have discussed that compliance to policies, build and preserve

strong passwords, internet and email security, equipments safety in data transmission and
documentation should be covered in this regions.

Figure 5 - Tree structure of assessing IS awareness [2]

As it was mentioned in the shortcomings of existing approaches, organizations have to prepare

theoretical frameworks for training their employees to comply IS security. The first step is that the
IS security training provides a theoretical explanation so the trainers know the theory of how the
training program helps people to learn and also what principles are needed for user compliance
with IS security policies. As a second step, the underlying theory should provide guides for how
efficient training is to be constructed in real life. This is important for employees who need
guidance to implement efficient training.
The elaboration likelihood model (ELM) in (Puhakainen, 2010) became their focus as primary
underlying theory which explains how predictable, long-lasting behavioral changes can be
achieved through cognitive processing, for IS policy compliance training.
Instructional theories seem to be ideal applicant for a cognitive Information Security training.
As an example, an instructional design theory named UCIT provides a framework for designing
instruction that is custom-built for a specific learning topic (such as e-mail policy compliance)
regarding target group (such as a certain branch of company). Consequently, UCIT has been
chosen as second base theory for training Information security compliance (Puhakainen, 2010).

9. Learning theories
Here we will discuss two theoretical frameworks including Universal Constructive
Instructional Theory and Gagns learning theory.

9.1.

Universal Constructive Instructional Theory

There are many different definitions of the learning process. The process could be described
as the activity or process of gaining knowledge or skill by studying, practicing, being taught, or
experiencing something (Merriam-webster.com, 2015); in terms of Information Security
learning, the skills would be to protect the network from the possible attacks and reassuring its
integrity and absence of vulnerabilities if possible. Instruction can be a way of obtaining the
necessary knowledge and developing the abilities aimed at information security awareness. The
Universal Constructive Instructional Theory (UCIT) opens a new perspective for the instructional
theories: it is not providing an opportunity for creating instructions, but it is helping to create a
personally adapted instructional theory.
UCIT is used as a core theory for information security instructional programs to be used in the
companies. UCIT consists of three main components (Puhakainen, 2006):
1. Functions: acquisition, storage and use of knowledge. They are applied both to the person
participating in the training and the learning environment (Schott&Driscoll, 1997).
2. Basic components:

Learning environment - teaching methods, media, instructor

Learning task

Learner

A particular environment where the learning is processed (Schott&Driscoll, 1997).

3. Situated possibilities/constraints systems (SPC systems)

The information obtained during the instruction depends on the opportunities and fixed
variables presented in a form of external and internal information (Schott&Driscoll, 1997).

There are different phases when applying the UCIT:

Defining the scope of the training and clear objectives: information security compliance

Defining the previous knowledge and skills of the future learners

Deciding on the way to create instructions and the instructional process itself

9.2.

Gagns learning theory

Gagns learning theory was developed in 1960-1980s. This theory states that there is a scale
of different ways of learning. It is an important to be aware of different types of information
comprehension because each of them requires a different approach when designing the
instructions. There are five main types of learning (Gredler, 1997):

verbal information

intellectual skills

cognitive strategies

motor skills

attitudes

Knowing the classification helps developing different learning environments. The theory also
defines nine stages of instruction and learning processes (Gagne et al, 1992). They could be applied
to Information Security instructional procedure as follows:
1. Gaining attention (reception). Describing the current threats and how users could cause the
threats to the systems.
2. Informing learners of the objective (expectancy). State that by the end of the instructional
process the learners will be aware of the security threats and the risk of the human factor in the IS
will be minimized.

3. Stimulating recall of prior learning (retrieval). Interactive questions, workshops in order to

find out the prior educational background, showcase the lack of knowledge in particular fields.
4. Presenting the stimulus (selective perception). Defining the terms: vulnerability, malware,
social engineering.
5. Providing learning guidance (semantic encoding). Show, how to prevent the attack from
happening from the employee point of view: not only the employees of the IT department would
need to have the training or instruction obtained.
6. Eliciting performance (responding). Ask the learners to show an example of how an
employee could prevent the attack, find cases on IS issues or figure out the previous mistakes and
how they could be avoided.
7. Providing feedback (reinforcement). Revise the material, figure out the mistakes the
learners are making, preliminary assessment of the work done.
8. Assessing performance (retrieval). Providing scores for the tasks carried out during the
instructional period.
9. Enhancing retention and transfer (generalization). Developing future tasks for the learners
in order to help practice the knowledge gained during the instructional period

10. Conclusion
The group essay analyzes how training influences the information security compliance. Firstly,
the overall awareness of information security was studied. It was found that almost 40% of the
overall population does not know about information security and enhancing their awareness leads
to more compliance. As following, the impacts of Information security factors were analyzed and
we concentrated on the effects and benefits of training. The effects of those factors were found
that could be worried and precautions for an organization involves in information security training.
Each section in this part attempted to provide a direct answer to our research question.
Moreover, it was found that there is a big gap in the empirical knowledge of the training effects as
well as theoretical foundation. Finally, two theoretical frameworks related to instructional process

were described. They highlighted the main steps in the teaching process that could raise awareness
and interest of the employees, in order to lately establish information security compliance.
We found that providing IS training brings lots of benefits for IS compliance, and even if it might
bring some financial cost to the company, in the long run benefits outweigh the costs. In addition,
we found that a well-trained system administrator abused the information security resources by
giving user access to the other user. Whereas, the awareness of the training factor suggests to train
the system administrator from top to bottom despite the abuse.
Our purpose in this essay was to uncover the effects of training on information security
compliance. In the final part, we concentrated on the issue of making training more effective. In
these sections, we looked for ways that can enable a stronger answer to the question. Our findings
are based on existing research. Our findings are summarized below:

Training improves information security awareness and more awareness leads to more

compliance

Training built on top of a theoretical foundation is more effective and makes it easier to

motivate employees for following IS policies and rules

References
[1]

Maconachy, W. Victor, et al. "A model for information assurance: An integrated

approach." Proceedings of the 2001 IEEE Workshop on Information Assurance and
Security. Vol. 310. New York, USA, 2001.

[2]

Kruger, Hennie A., and Wayne D. Kearney. "A prototype for assessing information
security awareness." computers & security 25, no. 4, pp. 289-296, 2006.

[3]

ERNEST CHANG, Shuchih; LIN, Chin-Shien. Exploring organizational culture for

information security management. Industrial Management & Data Systems, pp. 438-458,
2007.

[4]

KRUGER, Hennie; DREVIN, Lynette; STEYN, Tjaart. A vocabulary test to assess

information security awareness. Information Management & Computer Security, 2010,
18.5: 316-327.

[5]

Choi, Namjoo, et al. "Knowing is doing: An empirical validation of the relationship

between managerial information security awareness and action." Information
Management & Computer Security 16.5, pp. 484-501, 2008.

[6]

http://www.mcafee.com, Foundstone, [online].

[7]

PUHAKAINEN, Petri; SIPONEN, Mikko. Improving employees' compliance through

information systems security training: an action research study. Mis Quarterly, pp. 757778, 2010.

[8]

Merriam-webster.com, 'learning | the activity or process of gaining knowledge or skill by

studying, practicing, being taught, or experiencing something: the activity of someone
who

learns',

2015.

[Online].

Available:

http://www.merriam-

webster.com/dictionary/learning. [Accessed: 17- Nov- 2015]

[9]

P. Puhakainen.(2006) A design theory for information security awareness.

[10] Schott&Driscoll (1997) Universal Constructive Instructional Theory.

[11] Gredler, M. E. (1997). Learning and instruction: Theory into practice. Upper Saddle
River, NJ: Prentice-Hall, Inc.
[12] Gagne, R., Briggs, L. & Wager, W. (1992). Principles of Instructional Design (4th Ed.).
Fort Worth, TX: HBJ College Publishers.
[13] Arvey, R. D., and Ivancevich, J. M. (1980) Punishment in Organizations: A Review,
Propositions, and Research Suggestions. The Academy of Management Review (5:1),
pp. 123-132.
[14] K. Julisch. (2008) "Security compliance: the next frontier in security research". In
Proceedings of the 2008 workshop on New security paradigms (NSPW '08). ACM, New
York, NY, USA, 71-74. DOI=http://dx.doi.org/10.1145/1595676.1595687

[15] Huang, Man-Hui, and Kang Xie. "First-line and middle manager IT usage intention: A
comparison of TAM, TRA and TPB." In Management and Service Science, 2009.
MASS'09. International Conference on, pp. 1-4. IEEE, 2009.
[16] Ajzen, Icek. "The theory of planned behavior." Organizational behavior and human
decision processes 50, no. 2 (1991): 179-211.
[17]

Amankwa E., Loock M. & Kritzinger E. A Conceptual Analysis of Information Security

Education, Information Security Training and Information Security Awareness
Definitions.2014.At:
http://ieeexplore.ieee.org.ezproxy.utu.fi:2048/stamp/stamp.jsp?tp=&arnumber=7038814

[18] Eminagaoglu M., Ucar E., & Eren S. The Positive Outcomes of Information Security
Awareness Training in Companies. 2009. At: http://ac.elscdn.com/S1363412710000099/1-s2.0-S1363412710000099-main.pdf?_tid=60e3d90692b7-11e5-8f5600000aacb361&acdnat=1448375380_7d44df8d0a2b675389562d417a16e52e
[19]
Waly N., Tassabehji R., & Kamala M. Improving Organization Security Management: The
Impact of Training and Awareness. 2012.
At:
[20] http://ieeexplore.ieee.org.ezproxy.utu.fi:2048/stamp/stamp.jsp?tp=&arnumber=6332323

Guttman Barbara & Robak Edward. An Introduction to Computer Security. 1995/2003.

NIST Publications.