Promoting information secure behaviour in an organizational context.

Employees play an important role in the information security performance of organizations by their security awareness, cautious behaviour and compliance with policies and procedures. In this thesis we study the effect of security training and awareness programs on individuals’ information (in)secure behaviour. At first, we analysed the determinants of information (in)secure behaviour, their experience and personal role in information security. In two field experiments, concerning phishing and screen locking, we tested the impact of information provision, simulating experience with phishing mails and constant salient reminders on improvements of information secure behaviour. Participants in the experiments were employees of the Dutch Ministry of Economic Affairs. The main finding of this study is, that in both experiments all three treatments were effective in improving information secure behaviour. Furthermore, we found interventions in the screen locking experiment to be effective up to two months after treatments were stopped. This study therefore supports effectiveness of interventions based upon behavioural insights, applied to the domain of information security. Furthermore, by comparing effectiveness of interventions, this thesis provides both practitioners as scientists, clear actionable means which should be taken into account for developing security education, training and awareness programs. Although all treatments improved information secure behaviour, results also indicate that in order to be successful, trainings and awareness campaigns should be repeated.