“Get a red-hot poker and open up my eyes, it’s so boring”: Employee perceptions of cybersecurity training

To understand employee negative perceptions of SETA programs, researchers conducted in-depth interviews with 20 Australian employees regarding their experiences with both SETA programs and non-cybersecurity related workplace training. As expected, employees had a generally poor view of SETA programs. They reported that the same factors that are important for effective non-cybersecurity training are also important for SETA programs, such as management role modelling and well-designed workplace systems. From an applied perspective, these findings can explain why employees often do not engage with cybersecurity training material, and how their current beliefs can influence their receptivity for future training.