Acknowledging and Reducing the Knowing and Doing gap in Employee Cybersecurity Compliance

Organisations have a tendency of worrying about their vulnerabilities to outsider threats when contrasted with their weakness to insider threats, despite how industry-particular research proposes that a substantial amount of security breaches emanate from a trusted insider(employee) within the organisation. Insiders frequently participate unconsciously in unsafe practices (naive mistakes) that may debilitate the security, privacy and trustworthiness of organisations' data or debilitate the current technological security barriers. Insider threat is frequently counted by, initially, a security policy followed by awareness and training initiatives on the policy and good security practices. These measures ensure that insiders are capable and know how to complete their everyday duties securely. Nonetheless, literature demonstrates that awareness and training activities increment on knowledge; however, not all knowledge cultivates expected cybersecurity practices. This might be credited to the gap between knowing and doing, emanating from omissive behaviours. Understanding this gap is key to sufficiently addressing security breaches. The purpose of this study is to present a cybersecurity policy compliance motivation/reinforcement model which helps with advancing the change of knowledge into positive cybersecurity practices (behaviours). The model draws from the deterrence theory and the theory of planned action. The strategies utilised include action research and expert review to refine and validate the model. The action research was thoroughly conducted in two cycles at an SME in South Africa and included 30 participating employees. The study observed the connection between knowledge, punishments/rewards and behaviour, and affirmed that knowledge does not ensure good behaviour. After knowledge dispersal initiatives, around 64% of behavioural intentions translated to desirable action. Nonetheless, prevention utilising rewards for good conduct and punishment for bad conduct made a change of 19%. This uncovered the relationship between employees dreading discipline or being pulled in by remunerations, hence behaving securely.