Measuring the effectiveness of an information security training and awareness program

Roshan Dhakal

    Research output: ThesisDoctoral Thesis

    3145 Downloads (Pure)


    Information security education, training, and awareness programs are designed to raise awareness of users in organisations about their roles and responsibilities in organisational information security policy. Organisational information security policy is a formal document where the set of rules and regulations on using information technology is explained. In most organisations, information security policy is not readily accessible to end users, which results in human error, either knowingly or unknowingly. This research aims to educate, train, and make users aware of information security policy; identify the organisation’s risks; report any security incidents through a security training and awareness program; and measure its effectiveness. The effectiveness of the training and awareness program could be measured by how it helps change the security behaviour of the user regarding knowledge, attitude and behaviour. In the literature review, users’ responses are investigated from both a theoretical and practical point of view. Many organisations assume that humans are the weakest link and are vulnerable to information security breaches. This research also attempts to measure the other factors that are responsible for organisational information security. Thus, this thesis describes how training and awareness program content affects the success of the program, how the experience of the training coordinator changes the program, and how the training program, outsourced program, partnering program and methods for delivering and communication affect the effectiveness of the program. This thesis further explains the implemented framework for measuring the effectiveness of the training and awareness program, and the framework for information security investment. This thesis also estimates the success factors of the training and awareness program and the reasons for the failure of the program.

    Original languageEnglish
    QualificationDoctor of Information Technology
    Awarding Institution
    • Charles Sturt University
    • Islam, Rafiqul, Principal Supervisor
    • Mendis, Champake, Co-Supervisor
    Publication statusPublished - 2018


    Dive into the research topics of 'Measuring the effectiveness of an information security training and awareness program'. Together they form a unique fingerprint.

    Cite this