Data breaches are becoming more frequent year by year, and the threat caused by the phenomenon to businesses and societies increases along with the number of attacks. Human factors such as errors by individuals, negligence or a tendency to be trustful or helpful, seem to be a major cause of the incidents in the information security field. 

Human factors can be mitigated through technical solutions and processes to support the user. This alone might not be enough. It can be necessary to find ways of affecting human behaviour, knowledge and understanding of the risks as well as the security culture within organisations.

The study aims to answer how the effectiveness of information-security education, training and awareness can be measured and what variables affect its effectiveness. It shows that financial measuring is lacking due to the state of statistics concerning threats and too many unjustified assumptions have to be made, for example attacker motivation, capability or similar. Methods exist and are applicable for measuring the effectiveness of an information-security education, training and awareness program in a specific area, such as password strength or social engineering threats. Motivation of the participant, method of delivery or how the organisation is performing were also found to be variables that affected the effectiveness.

Provide best possible solution

Rickhard Alén will begin his PhD studies at the University of Jyväskylä in Finland under the tutelage of Mikko Sipponen.

Rickhard Alén
Rickhard Alén

“The big picture that creates the motivation towards learning has always been something that has interested me”, says Rickhard Alén.

“My doctoral thesis will focus on the methods of education. The main topic will be gamification and how that can be used to improve information security training in organisations. I feel it is vital that we provide the organisations with the best possible solution to the threats they face.”

“If, through my research, I can come up with a solution that both meets the needs and wants of the customer while improving organisations’ defences against social engineering, I hope that organisations that deliver the information security education will take note and move forward with an outcome that helps us all.”

Congratulations to Richard Alén for the scholarship award!

Master thesis: Measuring the Effectiveness of Information-Security Education, Training And Awareness, Rickhard Alén (1931 Kb)

Rickhard Alén is a graduate from the Master’s programme in Decision support and Risk analysis at the Department of Computer and Systems Sciences, DSV. Supervisor for the master thesis is Afzal Siddiqui.