Information security Awareness: identifying gaps in current measurement tools

This paper describes the key role of information security awareness (ISA) in organizational attempts to comply with their information security policies and mandated frameworks and regulations. The design, implementation, and evaluation of Security Education Training, and Awareness (SETA) programs rely on the definition and measurement of ISA. Reviews of the research on SETA programs have shown robust effectiveness for the improvements of ISA and security-related behaviors as a result of these programs. However, this same research has shown little ability to differentiate between the wide variety of SETA programs for achieving the variety of possible knowledge, attitude, intention, and behavioral outcomes at the individual or the organizational level that could be the objectives of these programs. This lack of differentiation results from an approach to ISA measurement that was designed to be broad and heterogenous in an attempt to capture any and all changes in ISA. After reviewing these other approaches to awareness, we discuss how improved approaches to defining and measuring ISA have the potential to provide practitioners and scholars more guidance into which SETA approaches are most effective for which outcomes for which populations given the investment needed to implement the program.