The Misunderstood Link: Information Security Training Strategy Emergent Research Forum (ERF)

Insecure user behavior and failure to identify phishing is a leading cause of information security breaches triggering increased company costs in keeping information secure. Training employees toward secure information systems (IS) behavior is a way for organizations to attempt keeping information secure. Herein we outline how using traditional goals for information security training is a contributing factor to continued rise of insecure employee behavior. We posit that the approach to information security training recommended in extant literature is failing because of focus on improving skills in procedural, policy, and compliance activities. We propose a model suggesting alternative goals and draws propositions regarding its effectiveness. The model is of interest to investigate if using a training design that includes goals/inputs matching tools and users, a training process matching inputs to methods, and knowledge transfer outcomes emphasizing affective and meta cognitive learning, has a positive impact on secure behavior when using IS. The paper presents a design science model for a training strategy regarding information systems secure behavior.