Do SETA Interventions Change Security Behavior? – A Literature Review

Abstract

Information security education, training, and awareness (SETA) are approaches to changing end-users’ security behavior. Research into SETA has conducted interventions to study the effects of SETA on security behavior. However, we lack aggregated knowledge on ‘how do SETA interventions influence security behavior?’. This study reviews 21 empirical SETA intervention studies published across the top IS journals. The theoretical findings show that the research has extended Protection Motivation Theory by (1) enhancements to fear appeals; (2) drawing attention to relevance; (3) incorporating temporality; (4) and shifting from intentions to behavior. In terms of behavior, the SETA interventions have targeted (1) information security policy compliance behavior; and (2) information protection behavior. We argue that while these studies have provided insights into security intentions and behavior, knowledge on designing effective SETA training has remained primarily anecdotal. We contribute (1) by pointing out gaps in the knowledge; and (2) by proposing tentative design recommendations.