Influencing Factors and Effectiveness of a Security Awareness Campaign
MetadataVis full innførsel
As an organisation, it is important with technical security controls to protect information assets, but without cooperation from the employees, this is nearly useless. Gradually realising the importance of information security awareness, different campaigns and programs have been created to be deployed in organizations that wish to strengthen the awareness and knowledge of their employees. Creating an effective program or campaign is not straightforward, and there are several factors that come into play. Preknowledge, attitude, personality and the company s culture and norms are all examples of such factors. Some studies have been conducted to try to outline what the most optimal way of implementing a program is, or measuring the effect of an awareness campaign, but the topic is still highly relevant to research. This project uses data from an information security awareness campaign that has been deployed in a company existing of around 2000 knowledge workers. The goal is to try to find out to which degree different groups of people have different views on the implemented campaign, and on the general topic of information security. The campaign consisted of three "rounds" running periodically over three years, and continuous communication, reminders and talks were given also outside of the specified rounds. In each round, a set of e-learning sessions were released on the company's intranet, consisting of a video raising a security issue accompanied by PowerPoint slides elaborating on the issue. After each campaign "round" a survey was conducted, asking the employees various questions regarding the campaign, and security in general. In addition to data from the program, interviews were done to substantiate or contradict findings from the surveys. The findings indicate that there are differences in gender, age, and management responsibility level with regard to information security in the workplace. They also imply that the campaign had some effect on the employees, but more on their motivation and attitude, and less on their behaviour. The interviews uncovered four main themes; the campaign, IT-systems in the organisation, information security and policies, and management and organisation. All interviewees were content with the campaign method, although they admitted they learned little new from it. Most agreed that the campaign rounds could be spread more evenly over the year, and some wished for stricter/obligatory completion of the e-learning sessions. Although all candidates expressed that information security was important to them and their coworkers, most of them did mention the gap between security and practicality. All interviewees agreed that their boss has a positive approach to information security and that this is important to create a positive engagement around the topic in the company.