Article

Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs

April 2015
Computers & Security 52

DOI:10.1016/j.cose.2015.04.006

Authors:

Aggeliki Tsohou

Ionian University

Maria Karyda

University of the Aegean

Spyros Kokolakis

University of the Aegean

Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behaviour. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. Τhis paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behaviour. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behaviour.

Driving Behaviour Change with Cybersecurity Awareness

Article

Full-text available

Apr 2024
COMPUT SECUR

Sunil Chaudhary

Organisations implementing cybersecurity awareness (CSA) should strive to positively change employees’ attitudes and behaviours. In practice, though, most of such initiatives only manage to increase employees’ knowledge. In cybersecurity, knowledge on its own will have no significanst value unless it is used to guide decisions and inspire actions. This study, therefore, has investigated the attributes that could influence and contribute to positive changes in employees’ cybersecurity behaviours. The study used a literature review for questionnaire design and then employed the Delphi method with 22 experts, which consequently identified seven such attributes. These attributes are as follows: i) obtain senior management support and participation in CSA activities; ii) consider CSA as a continuous process that needs to be updated and improved on a regular basis; iii) cultivate and spread ‘cybersecurity’ as a norm in the organisation; iv) encourage cybersecurity activities and behaviours through incentives; v) craft and use persuasive CSA messages; vi) employ innovative and effective approaches to disseminate CSA messages; and vii) recommend security activities that are achievable and pertinent for the audience.

Examining the Readiness of the Organization's Security Success in Improving Security Performance

Article

Mar 2025

Information security has become an important issue in the digital era due to increased cyber threats and data leaks. This study analyzes the influence of Organizational Culture, Risk Propensity, and Security Readiness on Organizational Security Performance, with Top Management Support as the moderation variable. This study uses a quantitative method with a survey approach and is analyzed using SPSS software for regression, mediation, and moderation tests. The results show that Organizational Culture, Risk Propensity, and Security Readiness have a significant influence on Organizational Security Performance. Security Readiness is proven to be a mediating variable that strengthens the relationship between Organizational Culture and Risk Propensity to organizational security performance. In addition, Top Management Support acts as a moderator that strengthens the relationship between independent variables and Organizational Security Performance. This research contributes by integrating Security Readiness as a mediator and Top Management Support as a moderator in the information security framework. These findings highlight the importance of a holistic approach that includes organizational culture, risk behavior, security readiness, and top management support to improve information security resilience amid the challenges of the digital age and the result can be a recommendation for the government and private sectors.

Assessing Employee Susceptibility to Cybersecurity Risks

Article

Full-text available

Nov 2024

This research challenges assumptions about cybersecurity risk factors, revealing that age, gender, and educational background are not significant determinants of employee susceptibility. It highlights the importance of inclusive cybersecurity training programs that cater to individuals of all age groups, dispelling the misconception that older employees are inherently less tech-savvy and more susceptible to cybersecurity threats. The findings show that cybersecurity teams within organizations significantly impact the adoption of security policies and data handling practices among employees, even though their influence on password and account security practices is limited. Organizations can adopt a holistic approach to cybersecurity training and awareness programs by leveraging these insights. This approach transcends traditional demographics and focuses on enhancing password and account security, ultimately strengthening cybersecurity postures, fostering a culture of cybersecurity consciousness, and fortifying defenses against the evolving landscape of digital threats.

Re-thinking Decision-Making in Cybersecurity: Leveraging Cognitive Heuristics in Situations of Uncertainty

Conference Paper

Full-text available

Jan 2024

The prevailing consensus in cybersecurity is that individuals' insecure behavior due to inadequate decision-making is a primary source of cyber incidents. The conclusion of this assumption is to enforce desired behavior via extensive security policies and suppress individuals' intuitions or rules of thumb (cognitive heuristics) when dealing with critical situations. This position paper aims to change the way we look at these cognitive heuristics in cybersecurity. We argue that heuristics can be particularly useful in uncertain environments such as cybersecurity. Based on successful examples from other domains, we propose that heuristic decision-making should also be used to combat cyber threats. Lastly, we give an outlook on where such heuristics could be beneficial in cybersecurity (e.g., phishing detection or incident response) and how they can be found or created.

Custom Solutions for Diverse Needs: Laying the Foundation for Tailored SETA Programs in the Healthcare Domain

Conference Paper

Full-text available

Jan 2024

In recent years, the number of data breaches in the healthcare sector has steadily increased. As a result, security, education, training, and awareness programs are recognized as an integral part of educating employees about security threats. Although these programs are considered commonplace in many organizations, they often follow one-size-fits-all approaches that could hinder the success of security training. In this study, we address this issue by conducting a domain analysis for IT-secure behavior in healthcare using the evidence centered assessment design. We define the representative target group as caregivers and physicians in hospitals. Subsequently, we observe the work tasks and assets of both job profiles in three hospitals in Germany to determine the most relevant security threats in the domain. In this way, we extend the cyber security domain model of Schuetz et al. (2023) and pave the way for developing tailored SETA programs in the healthcare domain.

13. EBook Kaizen Defining Landscape Project Risk Conception In Malaysian Landscape Architecture Professional Perspective

Chapter

Full-text available

May 2023

Malaysia's landscape projects are characterised by their dynamism, subjectivity, and fast-tracked nature, which increases the likelihood of multiple risks. Therefore, project practitioners must first understand risk conception to manage project risk through a systematic risk management approach effectively. This study aims to define risk conception from the perspective of landscape architecture professionals. The study involved semi-structured interviews with twenty-four landscape architect professionals based in the Klang Valley region of Malaysia, and data analysis was conducted using content and thematic analysis. The results revealed that landscape risk conception is considered average, with risks perceived as a threat to the project, uncertain, and inevitable. These findings provide a valuable lesson for practitioners to assess their current risk conception practices and implement the most effective management system to manage project risks.

Do chatbots establish “humanness” in the customer purchase journey? An investigation through explanatory sequential design

Article

Full-text available

Aug 2023
PSYCHOL MARKET

Chatbots incorporate various behavioral and psychological marketing elements to satisfy customers at various stages of their purchase journey. This research follows the foundations of the Elaboration Likelihood Model (ELM) and examines how cognitive and peripheral cues impact experiential dimensions, leading to chatbot user recommendation intentions. The study introduced warmth and competence as mediating variables in both the purchase and postpurchase stages, utilizing a robust explanatory sequential mixed‐method research design. The researchers tested and validated the proposed conceptual model using a 3 × 3 factorial design, collecting 354 responses in the purchase stage and 286 responses in the postpurchase stage. In the second stage, they conducted in‐depth qualitative interviews (Study 2) to gain further insights into the validity of the experimental research (Study 1). The results obtained from Study 1 revealed that “cognitive cues” and “competence” significantly influence recommendation intentions among chatbot users. On the other hand, “peripheral cues” and warmth significantly contribute to positive experiences encountered during the purchase stage. The researchers further identified 69 thematic codes through exploratory research, providing a deeper understanding of the variables. Theoretically, this study extends the ELM by introducing new dimensions to human‐machine interactions at the heart of digital transformation. From a managerial standpoint, the study emphasizes the significance of adding a “humanness” element in chatbot development to create more engaging and positive customer experiences actively.

Factors influencing employee compliance with information security policies: a systematic literature review of behavioral and technological aspects in cybersecurity

Article

Full-text available

Mar 2025

This study investigates the factors influencing employee compliance with information security policies, with a specific focus on the interplay between behavioral and technological elements shaping employee behavior. Compliance with these policies is critical in safeguarding organizational assets in an increasingly digital and interconnected world. Addressing the gap in current literature, this research highlights the integration of behavioral theories into cybersecurity, offering a unique perspective that bridges the human and technological dimensions. Unlike prior studies that predominantly emphasize technical solutions, this work underscores the importance of organizational culture, individual attitudes, and leadership in fostering compliance. The study employs a systematic literature review following the PRISMA methodology, analyzing 2001–2023 publications from leading databases such as ACM Digital Library, IEEE Xplore, ScienceDirect, and Web of Science. This rigorous approach ensures the inclusion of high-quality studies, facilitating a comprehensive analysis of the factors influencing compliance. The findings reveal that perceived effectiveness of security measures, top management support, and organizational culture are pivotal in shaping compliance behaviors. Strategies that combine intrinsic motivators, such as personal responsibility, with extrinsic incentives, like rewards and enforcement, are identified as the most effective. These results have significant implications for practice, particularly in designing cybersecurity awareness programs tailored to individual and contextual differences. Such initiatives can be instrumental for organizations and governments in strengthening security postures across diverse sectors. By addressing both technological vulnerabilities and human behavior, this study contributes to the development of more holistic and sustainable cybersecurity strategies.

Information Security Awareness in the Insurance Sector: Cognitive and Internal Factors and Combined Recommendations

Article

Full-text available

Aug 2024

Cybercrime is currently rapidly developing, requiring an increased demand for information security knowledge. Attackers are becoming more sophisticated and complex in their assault tactics. Employees are a focal point since humans remain the ‘weakest link’ and are vital to prevention. This research investigates what cognitive and internal factors influence information security awareness (ISA) among employees, through quantitative empirical research using a survey conducted at a Dutch financial insurance firm. The research question of “How and to what extent do cognitive and internal factors contribute to information security awareness (ISA)?” has been answered, using the theory of situation awareness as the theoretical lens. The constructs of Security Complexity, Information Security Goals (InfoSec Goals), and SETA Programs (security education, training, and awareness) significantly contribute to ISA. The most important research recommendations are to seek novel explaining variables for ISA, further investigate the roots of Security Complexity and what influences InfoSec Goals, and venture into qualitative and experimental research methodologies to seek more depth. The practical recommendations are to minimize the complexity of (1) information security topics (e.g., by contextualizing it more for specific employee groups) and (2) integrate these simplifications in various SETA methods (e.g., gamification and online training).

Fortifying the Human Firewall: Designing a Virtual Reality-Based Test to Measure Individuals' Cyber Security Competencies

Conference Paper

Full-text available

Jul 2024

Individuals are often considered the weakest link in the cyber security chain, making their cyber security competencies (CSC) crucial as a "human firewall" against cyber-attacks. Current Security Education, Training, and Awareness (SETA) programs often seem to fail due to their "one-size-fits-all" approach. However, to enable more tailored SETA programs, we believe that upstream CSC tests are needed. We utilize the Design Science Research (DSR) framework, as outlined by Peffers et al. (2007), to design a virtual reality (VR) artifact that simulates realistic cyber threat scenarios, such as finding and inserting a malicious USB flash drive. Building on Köpfer et al.'s (2023) model, which specifies seven dimensions of CSC, our work proposes a scalable, customizable, and immersive solution to assess individuals' CSC using VR-based tests. Based on measured competence levels, more tailored SETA programs can be offered to close specific CSC gaps.

From awareness to behaviour: understanding cybersecurity compliance in Vietnam

Article

May 2024
Int J Organ Anal

Purpose This paper aims to investigate the influence of cybersecurity awareness and compliance attitudes on the protective behaviours exhibited by employees. This study also aims to explore the complex correlation between the level of awareness about cybersecurity measures and attitudes towards compliance with these measures. Additionally, it looks at how these factors collectively impact employees’ behaviour to protect organisational assets and information. Design/methodology/approach This study uses a quantitative research methodology in which primary data are gathered using a survey questionnaire distributed to personnel employed at Vietnamese organisations. The data are analysed, and the validity of the measurement and structural equation model is assessed using a partial least squares–structural equation model approach after the collection of all the survey responses. Findings The provision of policies and security education, training and awareness programmes are strongly and positively associated with cybersecurity awareness. Moreover, cybersecurity awareness plays an important role in shaping attitudes and intentions towards information security policy compliance (ISPC). Attitude is positively associated with intention towards ISPC and employee protective behaviour. Finally, the intention towards ISPC is significant in shaping employee protective behaviour. Originality/value This study contributes to the understanding of the antecedents of cybersecurity in developing countries such as Vietnam. Furthermore, it provides a comprehensive framework for understanding intention and protective behaviour through cybersecurity awareness and compliance attitudes. By combining the theory of planned behaviour and protection motivation theory with institutional governance, this study extends previous research on the effects of these variables on employee protective behaviour.

Reconsidering Neutralization Techniques in Behavioral Cybersecurity as Cybersecurity Hygiene Discounting

Preprint

Full-text available

Jan 2024

Maritime decision-makers and cyber security: deck officers’ perception of cyber risks towards IT and OT systems

Article

Full-text available

Feb 2024
INT J INF SECUR

Through a quantitative study of deck officers’ cyber risk perceptions towards information (IT) and operational (OT) systems, this paper contributes to substantiate the importance of considering human behaviour within maritime cyber security. Using survey data from 293 deck officers working on offshore vessels, statistical analyses were conducted to measure and predict the participants cyber risk perceptions towards IT and OT systems. Performing a Wilcoxon signed-rank test revealed a significant discrepancy in the levels of cyber risk perception between the system categories. Hierarchical regression analyses were conducted to develop statistical models, considering multiple independent variables, including perceived benefit, cyber security training, experience with cyber-attacks, and trust towards various stakeholders. Key findings revealed distinct results for IT and OT systems, and the regression models varied in both predictive power and significance of the independent variables. Perceived benefit positively predicts deck officers cyber risk perception for both IT and OT systems, while trust, which included measures of social trust and confidence, was not found to be significant. Cyber security training and experience with cyber-attacks only influence deck officers’ perception of cyber risks related to operational technology. Practical implications of this work provide actionable recommendations for the maritime industry, including tailored risk communication tools, training programs, reporting systems, and holistic policies.

Navigating Cybersecurity Training: A Comprehensive Review

Preprint

Full-text available

Jan 2024

In the dynamic realm of cybersecurity, awareness training is crucial for strengthening defenses against cyber threats. This survey examines a spectrum of cybersecurity awareness training methods, analyzing traditional, technology-based, and innovative strategies. It evaluates the principles, efficacy, and constraints of each method, presenting a comparative analysis that highlights their pros and cons. The study also investigates emerging trends like artificial intelligence and extended reality, discussing their prospective influence on the future of cybersecurity training. Additionally, it addresses implementation challenges and proposes solutions, drawing on insights from real-world case studies. The goal is to bolster the understanding of cybersecurity awareness training's current landscape, offering valuable perspectives for both practitioners and scholars.

How to Strengthen Personal Cyber Security Competencies? Extending the Cyber Security Domain Model (CSDM) to Individuals: A Literature-Based Domain Analysis

Preprint

Apr 2024

Companies, public authorities, and private Internet users are increasingly confronted with cyber risks. However, research and practice have focused particularly on cyber security in an organizational context. This ignores the fact that private individuals face cyber risks that differ from those they encounter as part of their job profile in an organizational context. Moreover, it is evident that private individuals behave differently concerning cyber risks, which can be explained by different threat awareness as part of multi-dimensional cyber security competencies. Therefore, we extend the Cyber Security Domain Model (CSDM), which was initially established as the content-related prerequisite for building cyber security competencies in an organizational context, to individuals. Both practitioner and academic sources were identified that allow further refinement of the two dimensions of (1) threat area and (2) threat event in the context of individuals, using a structured literature review.

Exploring Employees’ Computer Fraud Behaviors using the Fraud Triangle Theory

Article

Jan 2022

Randi Jiang

Background: Employee computer fraud is a costly and significant problem for firms. Using the fraud triangle theory, this study explores the extent to which an employee’s perception of opportunity, rationalization, and work pressure will contribute to their likelihood of committing computer fraud (i.e., intentional, malicious, or while motivated through a self-interest gain of information systems (IS) security policy non-compliance behaviors). Method: A model is proposed and empirically validated through survey data collected from various industries from 213 computer-using employees with financial responsibilities within their organizations in the U.S. Results: This study’s findings suggest when individual employees experience high levels of work pressure, they may be more likely to commit computer fraud. Organizations can guard against this behavior by monitoring their employees’ assigned workload and performance expectations to prevent these unwanted behaviors. This study demonstrates a need for future research to investigate further the motivations employees may have besides financial greed when committing different types of computer abuse behaviors. Conclusion: This study, based upon the fraud triangle theory, empirically reveals the importance of monitoring general work pressure to guard against employees committing computer fraud behaviors. Computer fraud behaviors should be considered a distinct type of information security violation behavior.

A Decade of Studies on Cyber Security Training in Organizations using Social Network Analysis: A Systematic Literature Review Through Keyword co-Occurrence Network

Conference Paper

Mar 2023

Ward, J. Creating an Information Security Culture with Cognitive Psychology and Human Factors

Thesis

Full-text available

Feb 2018

Jodie Ward

This study demonstrates how cognitive psychology and human factors methods can be leveraged to create an organisational security culture using a real-life organisation as a case study. It hypothesises 1) the organisations security culture is being hindered by aspects of their organisational culture, and 2) the organisations information security policies and procedures are not communicated in a way that compliments their organisational culture. Cognitive psychology helps to understand how humans process and store information. This work argues that understanding these processes helps to design artefacts that align with people’s natural cognitive structure and maximise information retainment. Questionnaires and interactive management are two commonly used methods used in human factors for helping to understand the problem before prematurely focusing on solutions. The results show the organisation has an information security culture already existing, but highlights major problems with the organisations communication, documentation of policies and procedures, and investment in information security training. Smaller problems are identified in management support and the rewarding and recognition of employees for their behaviour. Several artefacts were created to address these problems: an internal information security intranet site, monthly training sessions, the ‘security hero’ program, gamification. Other recommendations are also made that could not be produced. How much these artefacts help to solve the problem could not be measured as the organisation could not implement them within the restricted time frame for this study, so this will be covered in future work. However, the artefacts are supported by work reviewed for this study and imply promising results.

A hyper-chaos-based image encryption scheme with double parity alternate scrambling

Article

Full-text available

Apr 2023
MULTIMED TOOLS APPL

Due to the complex dynamic characteristics, randomness, larger key space and better sensitivity of hyper-chaotic system, it is very suitable for the application in image encryption. This paper mainly proposes a double parity alternate-based image encryption scheme with a four-dimensional hyper-chaotic system. The key stream, produced by the hyper-chaotic system, is closely relevant to the plain-text image. First of all, parity alternate scrambling is used to change the image pixel position, and then bit-plane parity alternate scrambling is used, which can not only change the position but also change the pixel value. Finally, the key stream generated by the hyper-chaotic system is used to diffuse the image to make the encryption system more secure. Additionally, the use of the double parity alternate scrambling and diffusion can make the pixel value distribution of the image be more uniform, and the given scheme is not only simple and easy to implement but also can resist some attacks effectively, such as differential attacks, statistical attacks, and etc. Theoretical analysis and numerical simulation show that the given scheme has good safety performance and good reliability for image encryption.

Information security policies compliance in a global setting: An employee's perspective

Article

Full-text available

Mar 2023
COMPUT SECUR

End-User Compliance with Information Security Policy Framework for Government Departments in South Africa

Chapter

Mar 2025

Factors Affecting Information Security Awareness Among Generation Z: Evidence From India

Conference Paper

Dec 2024

Conceptual Inconsistencies in Variable Definitions and Measurement Items within ISP Non-/compliance Research: A systematic literature review

Article

Feb 2025
COMPUT SECUR

Implementing information security controls: now or later? Delay discounting of losses and gains

Article

Jan 2025

Delay discounting is a behavioral process, which explains certain peculiarities of human decision-making when choices and their consequences are separated from each other in time. The concept has been used in psychology and behavioral economics to explain how individuals make suboptimal choices with undesirable individual and societal consequences. Existing research shows that individuals can be characterized by several discounting parameters (k) across contexts, capturing the rate at which future gains and losses decrease in value as seen from the present. This present paper investigates how the concept of delay discounting can be utilized to better understand human choices regarding the implementation of information security controls in organizational settings. The study relies on a validated psychometric instrument (MCQ-21) to collect gold-standard k parameters with monetary outcomes. Furthermore, two novel variants are developed to estimate individuals’ k parameters with outcomes specific to the information security context. Within the framework of a nonexperimental correlational research design, an online survey was distributed among the employees (

n = 135

) of three Norwegian organizations. Contrary to expectations, none of the k parameters provided predictive power as predictors of real-world behavior in organizational settings. Nevertheless, the same behaviors were predicted by an attitude-based measure with an accuracy (adjusted

R^2=0.22

), which is observed generally in the literature of behavior prediction using attitudes as predictors. This paper contributes the first results on assessing the effectiveness of delay discounting parameters for behavior prediction within the context of information security.

Sağlıkta Bilgi Güvenliği Yönetiminin Bibliyometrik Analizi

Article

Full-text available

Dec 2024

Çalışmada sağlık kurumlarında bilgi güvenliği yönetimi konusunda yapılan akademik çalışmaların incelenmesi ve değerlendirilmesi amaçlanmaktadır. Bu açıdan çalışmada sağlık kurumlarında bilgi güvenliği yönetimi alanında en fazla atıf ve yayını olan dergiler, yayınlar, yazarlar ve kurumlar, alandaki eş yazarlık ve anahtar kelimelerin eş birliktelikleri ile birlikte dönemsel değişimleri araştırılmıştır. Bu amaç doğrultusunda bibliyometrik bir çalışma yapılmıştır. Web of Science veri tabanında 1982-2023 aralığında yapılan yayınlar VOSviewer programı kullanılarak analiz edilmiştir. Araştırma performans analizleri (dergiler, ülkeler, yayınlar, atıflar vb.) ve bibliyometrik analizler (eş yazarlık, anahtar kelimeler eş birliktelik ve dönem dağılımı) olarak iki boyut altında yürütülmüşür. Çalışmada elde edilen verilerin analiz sonucunda alanda yayın ve atıf sayılarının son dönemde yoğunlaştığı tespit edilmiştir. Yayın ve atıf sayısı açısından ABD öncü pozisyondadır. Alanda atıf/yayın sayısı etkililiğinde IEEE’nin öne çıktığı; en fazla yayının De Montfort Üniversitesi’nce yapıldığı; en fazla atıfın Hong Kong Üniversitesi ve Salerno Üniversitesi’nde olduğu ve alanın en etkili yazarının Christian Esposito olduğu görülmüştür. Çalışmada sonuç olarak bilgi güvenliği konusunun hukuki, etik ve örgütsel (personel algısı, dijital okuryazarlık vb.) perspektiflerini ele alan çalışmaların yapılmasının alana katkı sağlayacağı değerlendirilmektedir.

Information Security Policy Compliance

Chapter

Jan 2025

Reconsidering Neutralization Techniques in behavioral Cybersecurity as Cybersecurity Hygiene Discounting

Article

Mar 2025
COMPUT SECUR

Enhancing Cyber Safety in E-Learning Environment through Cybersecurity Awareness and Information Security Compliance: PLS-SEM and FsQCA Analysis

Article

Dec 2024
COMPUT SECUR

Cybersecurity in Digital Agriculture: A National Security Risk?

Chapter

Oct 2024

Canada is a global leader in agri-food with respect to quality, innovation, transparency, food security and social development goals. Maintaining this position will be essential to sustaining economic well-being, to tackling emissions, and to enabling global food security in the coming decades. Access to safe, secure and affordable food at home contributes to domestic tranquility. Resilient international supply chains enable global stability by helping countries impacted by the climate crisis and/or conflict to adapt to fluctuations in food production. Consequently, food security can be thought of as an element of national security for both the net exporter and the net importer. The capacity of agricultural production, processing and distribution to meet the demands of this century is being enabled by digital technologies, including Artificial Intelligence (AI), which are changing how we produce and distribute food. Yet, despite the many benefits it may offer, digitally-enabled agriculture and its supply chains include vulnerabilities related to cybersecurity. These vulnerabilities are opportunities for criminal profit-making and for geo-political adversaries to inflict damage at-scale across this critical infrastructure. Among critical infrastructures, the agri-food system is arguably the least cyber mature and is beset by a general lack of awareness and attention to cybersecurity as a focus of research and policy development, or as a best practice for farm business risk management and agri-food business development. As a result of these factors, the agri-food system represents the softest of targets for those seeking to disrupt critical infrastructures, either as part of criminal exploits or non-kinetic military operations, just below the threshold of armed conflict. For example, cyber-enabled foreign disinformation operations can disrupt Canada’s food production, impact food safety, hurt our global brand and cost money. In this sense, inattention to the cybersecurity and cyber preparedness of this sector represents a less than obvious national security threat meriting attention. In addition to delineating key facets of this threat, we propose a sector-focused framework for enhancing preparedness and resilience.

Enhanced (cyber) situational awareness: Using interpretable principal component analysis (iPCA) to automate vulnerability severity scoring

Article

Aug 2024
DECIS SUPPORT SYST

Explanations of Insider Deviant Behavior in Information Security: A Systematic Literature Review

Article

Jul 2024

Insider deviant behavior (IDB) in information security (IS) poses significant threats to public and private organizations. To enhance our understanding of IDB, we conducted a systematic review of existing literature, analyzing theories from the fields of criminology (e.g., Deterrence Theory), sociology (e.g., Social Control Theory), and psychology (e.g., Neutralization Techniques) utilized in IS research on IDB. We identified 46 theories from these disciplines, which we categorized into four main groups: psychological and behavioral, organizational, sociocultural, and decision-making.Additionally, we classified their constructs into eight key factors. Further, ten IDBs frequently studied in IS wereidentified. Our analysis identified relationships among these theories emphasizing shared concepts that improve ourcomprehension of IDB. These relationships and their implications for theory and practice are discussed offering insightsinto the multifaceted nature of insider deviance and the diverse theoretical lenses through which they can be examined.This review not only consolidates existing knowledge but also lays the groundwork for future research in effectively addressing insider deviant behavior

The Effect of Information Security Awareness, Subjective Norms and Shared Tacit Assumptions on Information Security Culture

Conference Paper

Nov 2023

Financial Services Information Security Culture Strategies

Conference Paper

Nov 2023

The digital era has been accompanied by an overabundance of information security attacks the bulk of which are predominantly directed at the financial services firms for financial gain. The possible safety measure to the menace of information security breaches is the refinement of information security culture. Information security culture strives to guard the information assets of firms by the way of influencing humans to conduct themselves in a way that is compatible with the safeguarding of organizational assets. Temporal strategies, spatial strategies, information security awareness and information security education and training are proposed as some of the main determinants of information security culture in the financial services. Therefore, this paper investigates the impact that temporal strategies, spatial strategies, information security awareness and information security education and training exert on financial services firms’ information security culture. This paper is a quantitative case study of four financial services firms in Zimbabwe. The results of this study show that temporal strategies, spatial strategies and information security awareness are not related to information security culture in the financial services. On the other hand, information security education and training is a predictor of information security culture in the financial services.

الأمن الفکري وعلاقته بالهزيمة النفسية لدى الشباب الجامعي

Article

Full-text available

Dec 2020

Hossam Mahmoud Zaki Ali

هدفت الدراسة الحالية لمعرفة العلاقة بين الأمن الفکري والهزيمة النفسية لدى الشباب الجامعي، وتکونت العينة من (620) شاب جامعي في بعض الجامعات المصرية والسعودية، وقام الباحثان بإعداد مقياسين للأمن الفکري والهزيمة النفسية، واستخدمت الدراسة المنهج الوصفي، وبعد معالجة البيانات إحصائيًا واستخدام الأساليب المناسبة، أشارت نتائج الدراسة إلى ‌وجود علاقة ارتباطية سالبة دالة إحصائيًا بين درجات أفراد عينة الدراسة في الأمن الفکري ودرجاتهم في الهزيمة النفسية، وکذلک عدم وجود فروق دالة إحصائيًا بين متوسطات درجات عينة الدراسة في الأمن الفکري موضع الدراسة تبعًا للجنس (ذکور–إناث)، وتبعًا للتخصص الدراسي (أدبي–علمي)، وکذلک عدم وجود فروق دالة إحصائيًا بين متوسطات درجات عينة الدراسة في الهزيمة النفسية موضع الدراسة تبعًا للجنس(ذکر– أنثى)، وتبعًا للتخصص الدراسي (أدبي– علمي)، وکذلک إمکانية التنبؤ بالهزيمة النفسية لدى عينة الدراسة من خلال درجاتهم علي أبعاد مقياس الأمن الفکري، کما تم صياغة مجموعة من المقترحات التي يمکن أن تُساهم في بناء الشباب الجامعي بصورة متوازنة.

Fostering Information Security Compliance as Organizational Citizenship Behavior

Article

Apr 2024
INFORM MANAGE-AMSTER

Optimism amid risk: How non-IT employees’ beliefs affect cybersecurity behavior

Article

Mar 2024
COMPUT SECUR

Cognitive marketing and strategic drift an exploration of cognitive bias in marketing decision-making

Article

Full-text available

Feb 2024

In the dynamic landscape of modern marketing, decision-making processes play a pivotal role in shaping organizational strategies and outcomes. This theoretical study delves into the intricate relationship between cognitive marketing and strategic drift, with a particular focus on the pervasive influence of cognitive bias in marketing decision-making. The study begins by outlining the fundamental concepts of cognitive marketing, which emphasize the cognitive processes, perceptions, and behaviors of consumers and marketers alike. It underscores the importance of understanding the intricacies of how humans process information, make judgments, and form preferences in the context of marketing. One of the central tenets of this study is the exploration of how cognitive bias, a prevalent cognitive phenomenon, can lead to strategic drift in marketing. Cognitive biases, stemming from heuristics and psychological shortcuts, often distort marketers' judgments and choices, potentially diverting them from well-planned marketing strategies. The study highlights a range of cognitive biases, including confirmation bias, anchoring, and availability heuristics, and their implications for marketing decision-making. Furthermore, this study offers insights into the potential consequences of strategic drift in marketing, such as misaligned messaging, diminished customer engagement, and suboptimal performance. It explores strategies to mitigate the negative impacts of cognitive bias, emphasizing the importance of cognitive awareness and decision-making frameworks to promote more informed and rational marketing choices. 1. Introduction In the fast-paced world of marketing, decision-making processes are at the heart of organizational strategy development and execution. The ability to make informed, rational, and effective decisions is paramount for marketers aiming to achieve their goals in a highly competitive and ever-evolving landscape. This theoretical study embarks on a comprehensive exploration of the intricate relationship between cognitive marketing and a phenomenon known as "strategic drift," while placing a spotlight on the pervasive influence of cognitive bias in marketing decision-making. Cognitive marketing, as a discipline, focuses on understanding and harnessing the cognitive processes, perceptions, and behaviors of both consumers and marketers. It recognizes that in the realm of marketing, successful strategies depend not only on the quality of the product or service but also on how these offerings are perceived and received by the target audience. Consequently, cognitive marketing seeks to shed light on the psychology behind consumer preferences, judgments, and information processing, thereby providing a more profound understanding of the multifaceted marketing landscape. Strategic drift, on the other hand, is a concept that raises concerns about the consistency of an organization's strategy over time. It suggests that as time elapses, a gap may emerge between the organization's intended strategy and the actual strategy that it ends up following. For marketing professionals, this can be a particularly vexing issue, as strategic drift can lead to misalignment with the market, customer disengagement, and, ultimately, suboptimal performance.

Employees’ information security awareness (ISA) in public organisations: insights from cross-cultural studies in Sweden, France, and Tunisia

Article

Feb 2024

Business Models and Innovative Technologies for SMEs

Chapter

Full-text available

Jan 2024

Small and medium enterprises (SMEs) are crucial to national and regional development and are significant drivers of job creation and income generation. To remain competitive, SMEs are increasingly adopting Digital Transformation (DT) and Business Model Innovation (BMI) to take advantage of modern digital technologies. However, these transformations can also pose serious cybersecurity risks if organisations do not prioritise cybersecurity threats associated with these modern technologies. Therefore, this conceptual desktop study examines the cybersecurity risks of information and communication technologies (ICT) utilised in DT and BMI processes and recommends fostering an appropriate cybersecurity culture to protect SMEs during and after these transformations.

Cybersecurity Culture as a Critical Component of Digital Transformation and Business Model Innovation in SMEs

Chapter

Full-text available

Dec 2023

Business Models and Innovative Technologies for SMEs focuses on technologies such as data analytics, artificial intelligence and data as a service. As these technologies offer new possibilities, small and medium enterprises (SMEs) often struggle to grasp their full potential within evolving business landscapes. Five reviews discuss the potential of these technologies to drive SME growth. The book also highlights the need for a strategic approach to overcoming challenges faced by SMEs to create innovative business models such as limited resources, infrastructure hurdles, and financial limitations. The chapters explore diverse facets of business model innovation, covering strategic models for mobile application development, the critical role of cybersecurity culture, readiness assessments, digital transformations leveraging artificial intelligence, expert systems' impact on competitiveness, and the adoption of data as services in SMEs. Each chapter is tailored to provide actionable insights drawn from theory and, where possible, real-life case studies, addressing questions related to technological benefits, innovative strategies, and challenges in implementing digital transformations for SMEs. This book caters to a wide audience of academics, researchers, policymakers, and business practitioners deeply invested in SME development, offering practical solutions and theoretical frameworks. The combination of scholarly and practical approaches towards developing and implementing innovative strategies, makes it a valuable resource for readers seeking to understand and support SME growth.

A Systematic Review for Cyber Security Awareness Platforms: Recent approaches and Research Gaps

Article

Jan 2023

The Information Richness Assessment of Information Security Awareness in Iranian Cloud Storage Users: Case Study of iCloud Solmaz Zardary

Article

Full-text available

Jan 2023

Cloud storage technology is attracting more attention due to the increasing implementation of technology in everyday life. The present study aims to assess Iranian iCloud users' richness of information security awareness at the three levels of knowledge, attitude, and behavior, based on six aspects required for adhering to information security policies. Accordingly, in this study, the self-reported data of 384 Iranian users of Apple products (IUAP) were investigated using a questionnaire designed by a researcher. Then, the data were analyzed using Microsoft Excel software. This research showed that the average information security awareness of IUAP is 3.22 out of 5, a slightly higher than average score using a quantitative approach and descriptive statistics,. Almost three-quarters of them use iCloud, mainly because of its easy access to information. It also assesses various aspects and examples of information security awareness and behaviors that indicate compliance with information security policies. Finally, the general knowledge of Iranian iCloud users about the components of information security awareness is estimated to be 73.83, which is relatively low and unsatisfactory, showing that more attention and training are needed. Moreover, this study prioritizes different components of information security awareness.

برنامج تدريبى قائم على التعلم المدمج لتنمية مهارات الأداء التدريسى لمعلمي العلوم الشرعية فى ضوء الاحتياجات التدريسية اللازمة للأمن الفكري

Article

Jul 2022

هيام عبدالعال مرعى

Towards a Framework for the Personalization of Cybersecurity Awareness

Chapter

Jul 2023

Significant evidence indicates that insecure employee behavior can be a major threat, undermining cybersecurity in organizations. Although cybersecurity awareness programs aim to enhance behavior and mitigate security risk, much of the current provision is essentially designed to offer a one-size-fits-all and does not pay attention to the differences in security behavior and other important traits that distinguish users. Similarly, while many guidelines exist to promote good practice, this in itself does not account for how people internalize security-related knowledge and make security-related decision. This research explores the impact of human-centric variables, organization culture and security awareness communication approaches on cybersecurity, leading towards the proposal of an initial concept for a Personalized Security Awareness Program (PSAP) framework, the intention of which is to recognize the relevant differences in the profile of the users that require awareness-related support, and then take account of this in how security messaging is delivered and how the resulting performance is evaluated. This work-in-progress paper presents the background justification for the approach and outlines the key elements to be considered in its further realization.KeywordsCybersecurity AwarenessCybersecurity EducationPersonalization

Uncovering the role of optimism bias in social media phishing: an empirical study on TikTok

Article

Jul 2023

A survey of inspiring swarm intelligence models for the design of a swarm-based ontology for addressing the cyber security problem

Article

Full-text available

Jun 2023

The increased use of the internet raises concerns about the security of data and other resources shared in cyberspace. Although efforts to improve data security are visible, the need to continuously explore other avenues for preventing and mitigating cyberattacks is apparent. Swarm intelligence models have, in the past, been considered in cybersecurity though there was no formal representation of the swarm intelligence knowledge domain that defines how these models fit into the cybersecurity body of knowledge. This article reviews the aspects of three swarm intelligence models that may inspire the design of the desired swarm intelligence ontology. The algorithms are particle swarm optimization, ant colony optimization, and the artificial bee colony model. In each case, we investigate the main driving features of the model, the causal aspects, and the effects of those causal aspects on the resolution of the cybersecurity problem. We also investigate how these features can be recommended as the building blocks of the desired swarm intelligence ontology. Investigations indicate that the artificial bee colony model has three outstanding aspects considered for the design of the swarm intelligence ontology and that is the quality, popularity, and communication. Foraging through pheromone deposits is an outstanding component of ant colony optimization that aids in locating threats sources more quickly by using the shortest route or tracks with high pheromone deposits. The particle swarm optimization model, on the other hand, adds alignment, cohesion, and collision avoidance aspects to the ontology to augment the ant colony and artificial bee colony algorithms. In our view, although intrusion detection is a complex problem in cybersecurity, the power of integrated swarm intelligence models is more than the sum of the individual capabilities of each swarm intelligence model individually. The article, therefore, proposes a swarm intelligence ontology that will potentially bring us closer to resolving the general cybersecurity problem.

Exploring insider threat awareness and mitigation: more than the devil in disguise

Thesis

May 2023

Mathias Reveraert

Employees that steal, commit fraud, sabotage or leak confidential information: it is every employer’s nightmare. Even though every public or private organisation – big or small – is vulnerable to so- called ‘insider threats’, this problem is too often overlooked because organisations assume that their employees can be trusted. Indeed, employees need to be trusted with access to the organizational assets because they need it in order to do their job. Still, this access implies that insiders are largely exempted from the security obstacles that external enemies have to overcome. Despite the fact that insiders can relatively easier threaten the organization’s assets, they are often overlooked as potential threat. Belgium already encountered multiple insider threat incidents. The most striking example is the nuclear reactor Doel 4 that was deliberately sabotaged by an insider. More recent examples in Belgium are Jürgen Conings and Operation Sky. To on the one hand raise awareness on the insider threat problem, and on the other hand provide organizations with mitigation measures to better secure themselves against insider threats, research was done with the support from Brussels Airport Company, Bel-V, Elia, Engie-Electrabel, the Federal Agency for Nuclear Control and G4S on the insider threat problem. The results of the first part of the research provide us with insights on the awareness gaps of Belgian organizations concerning the characteristics of the insider threat as well as the ways to mitigate it. The results of the second part of the research give useful insights on what can be considered ‘red flags’ of insider threats that organizations should be vigilant of, as well as with mitigation measures that organizations can use to better secure themselves against insider threats.

ARE YOU AWARE OF YOUR COMPETENCIES? – THE POTENTIALS OF COMPETENCE RESEARCH TO DESIGN EFFECTIVE SETA PROGRAMS

Conference Paper

Full-text available

Jan 2022

Since the late 1990s, security education training and awareness (SETA) programs have become commonplace. Despite extensive research into the effective design of such programs and factors influencing compliance behavior, SETA programs tend not to be as effective as they should be. In order to tailor learning content as closely as possible to individual needs, vocational education relies on the modeling and measurement of competencies. We argue that this existing knowledge can be transferred to the information security domain. Therefore, we introduce a competence model from vocational education and consider it in the context of the information security domain. Subsequently, we conduct a structured literature review on conceptualization and effective SETA design and investigate to what extent the competence dimensions from vocational education are already considered in the SETA literature. Our results indicate that competence research can make an important contribution to adapting SETA programs to individual situational actions.

Leveraging Big Data Analytics for Competitiveness in South African Financial Institutions

Article

Full-text available

Mar 2023

Phumzile Dorcus Mogoale

Due to hundreds of millions of financial transactions that take place daily in the financial sector, Big Data has become a buzzword and a crucial component in financial business operations. Consequently, handling this data is becoming a major concern for many financial services. Much as this is so, the nature in which this data is generated makes it complex to analyse using traditional database management systems. Little empirical research has been done to inform financial organisations on how to analyse Big Data to improve business agility and competitiveness. More still, there is a lack of an appropriate model that could be used by financial organisations to carry out Big Data analytics. This paper sought to conceptualise a model for Big Data analytics to improve organisational competitiveness by taking the case of South African financial institutions. Collected data was analysed quantitatively and results indicated that technological, organisational, and environmental perspectives along with individual factors play a significant role in Big Data analytics improving financial institutions’ competitiveness. The identified factors were used to conceptualise a model that could be used to extend research in this direction. Results of the study revealed that as new trends in computing increase, traditional analytics currently used by many organisations gradually become obsolete hence it is recommended that the developed model be validated with a wide range of data from various organisations to identify the new factors that might be salient.

Dissemination of Climate Information: Insights from a Case of Rural Small-Scale Farmers in Raymond Mhlaba Municipality, South Africa

Conference Paper

Full-text available

Nov 2022

Climate change information plays a pivotal role in decision-making on what crop to plant, what time to water the plant/mulch the field, what type of fertilizer to apply, and at what time. As such, small-scale rural farmers need to get climate information in real-time and in their mother language since English is a barrier. Therefore, this study assessed how climate information is disseminated to rural small-scale farmers in Raymond Mhlaba municipality, the challenges faced, and evaluated the effectiveness of the modes of disseminating climate information used currently. A Participatory Action Research methodology was adopted being informed by literature review and focus group methods. The data was collected from thirty farmers, four extension officers, and four climate and weather experts who acted as key informants. To remove bias, a randomization approach was used. SPSS software was used to analyze part of the results and draw graphs and pie charts. Results showed that 90% of the farmers receive climate information from newspapers, dramas, television, and radio. Only 10% receive information via short message service on their phones even though all the farmers own a simple cellphone. Of the 90%, 70% received their climate information through radio which proved to be widely used for the dissemination of climate information among rural small-scale farmers. These results served as a basis for a technological intervention to improve accurate collection and real-time dissemination of climate information to rural small-scale farmers using mobile phones.

Confirmation Bias: A Ubiquitous Phenomenon in Many Guises

Article

Full-text available

Jun 1998
REV GEN PSYCHOL

Raymond Nickerson

Heuristics and Biases: The Psychology of Intuitive Judgment

Article

Full-text available

Oct 2004

Perception of Risk

Article

Full-text available

May 1987

Paul Slovic

Studies of risk perception examine the judgements people make when they are asked to characterize and evaluate hazardous activities and technologies. This research aims to aid risk analysis and policy-making by providing a basis for understanding and anticipating public responses to hazards and improving the communication of risk information among lay people, technical experts, and decision-makers. This work assumes that those who promote and regulate health and safety need to understand how people think about and respond to risk. Without such understanding, well-intended policies may be ineffective.

Information Security Awareness: An Application of Psychological Factors

Article

Full-text available

Jan 2014

Variables influencing information security policy compliance: A systematic review of quantitative studies

Article

Full-text available

Mar 2014
Inform Manag Comput Secur

Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications – For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value – This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

A literature review of cognitive biases in negotiation processes

Article

Full-text available

Sep 2013
INT J CONFL MANAGE

Andrea Caputo

Purpose – What is the discipline's current grasp of cognitive biases in negotiation processes? What lessons can be drawn from this body of literature? The purpose of this paper is to review and discuss the limited research on cognitive biases in the context of negotiations. Design/methodology/approach – This article reviews research from judgment and decision-making, conflict management, psychology, and management literatures to systematize what we already know about cognitive biases in negotiations. Findings – Decision-making studies have mainly identified 21 biases that may lead to lower quality decisions. Only five of those biases have been studied relating to negotiations: the anchoring, the overconfidence, the framing, the status quo and the self-serving bias. Moreover, negotiation literature has identified five additional biases that affect negotiation processes: the fixed-pie error, the incompatibility error, the intergroup bias, the relationship bias and the toughness bias. Biased behavior differs across cultures and emotional mood. Research limitations/implications – Implications for future research include building comprehensive models of how negotiators can overcome cognitive biases, studying interconnections between different biases, and increasing complexity of the studies to provide practitioners with more practical advice. Originality/value – The literature reviewed in this paper spans diverse disciplines and perspectives. This paper can be a starting point for researchers interested in understanding how cognitive biases affect negotiations. Moreover, it could be a starting point for future research on this field.

Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior

Conference Paper

Full-text available

Dec 2013

Information security awareness (ISA) is referred to as a state of consciousness and knowledge about security issues and is frequently found to impact security compliant behavior. However, to date we know little about the factors influencing ISA and its mediating effect on behavior. Our study addresses these gaps. We propose a research model that studies ISA's institutional, individual, and environmental antecedents and investigates the mediating role of ISA. The model was empirically tested with survey data from 475 employees. The model explains a substantial proportion of the variance of ISA (.50) and intention to comply (.41). The results imply that the provision of security policies and employees' knowledge on information systems are the most influential antecedents of ISA. The study shows that ISA mediates the relationship between ISA's antecedents and behavioral intention. The findings will be useful for stakeholders interested in encouraging employees' information security policy compliant behavior.

Motivating IS security compliance: Insights from Habit and Protection Motivation Theory

Article

Full-text available

May 2012
INFORM MANAGE-AMSTER

Employees’ failure to comply with IS security procedures is a key concern for organizations today. A number of socio-cognitive theories have been used to explain this. However, prior studies have not examined the influence of past and automatic behavior on employee decisions to comply. This is an important omission because past behavior has been assumed to strongly affect decision-making.To address this gap, we integrated habit (a routinized form of past behavior) with Protection Motivation Theory (PMT), to explain compliance. An empirical test showed that habitual IS security compliance strongly reinforced the cognitive processes theorized by PMT, as well as employee intention for future compliance. We also found that nearly all components of PMT significantly impacted employee intention to comply with IS security policies. Together, these results highlighted the importance of addressing employees’ past and automatic behavior in order to improve compliance.

Confirmation Bias: A Ubiquitous Phenomenon in Many Guises

Article

Full-text available

Jun 1998

Raymond Nickerson

Confirmation bias, as the term is typically used in the psychological literature, connotes the seeking or interpreting of evidence in ways that are partial to existing beliefs, expectations, or a hypothesis in hand. The author reviews evidence of such a bias in a variety of guises and gives examples of its operation in several practical contexts. Possible explanations are considered, and the question of its utility or disutility is discussed. When men wish to construct or support a theory, how they torture facts into their service! (Mackay, 1852/ 1932, p. 552) Confirmation bias is perhaps the best known and most widely accepted notion of inferential error to come out of the literature on human reasoning. (Evans, 1989, p. 41) If one were to attempt to identify a single problematic aspect of human reasoning that deserves attention above all others, the confirma- tion bias would have to be among the candidates for consideration. Many have written about this bias, and it appears to be sufficiently strong and pervasive that one is led to wonder whether the bias, by itself, might account for a significant fraction of the disputes, altercations, and misun- derstandings that occur among individuals, groups, and nations.

Cultural Theory and Risk Perception: A Proposal for a Better Measurement

Article

Full-text available

Apr 2002

Susanne Rippl

In the 1980s, social and cultural perspectives become increasingly important in the field of risk research. In current empirical research on the influence of social and cultural factors on risk perception, the cultural theory (CT) of Douglas and Wildavsky (Risk and Culture: An Essay on Selection of Technological and Environmental Dangers, Berkeley: California University Press, 1982) is the most influential approach. In 1990 Dake introduced a measurement instrument that is used broadly in quantitative studies on cultural theory and risk. In the discussion of Dake"s work, two questions have emerged as most controversial. First, can Douglas and Wildavsky"s theoretical concept be tested on the basis of data obtained from individuals, as is done by Dake and many other authors? Second, does the instrument introduced by Dake (Journal of Cross-Cultural Psychology, 22, 61-82, 1991) show sufficient validity, in the sense that hypotheses which could be derived from CT hold true when Dake"s scales are used? Both questions are addressed here. A new instrument and strategies to test the validity are introduced, which address criticisms of Dake"s work.

Subliminal Affective Priming Resists Attributional Interventions

Article

Full-text available

Aug 1997

We examine two explanations of the subliminal affective priming effect. The feelings-as-information model (Schwarz & Clore, 1988) holds that judgements are based on perceptible feelings. Hence, affective influences depend on the source to which feelings are (mis)attributed. In contrast, the affective primary hypothesis (Zajonc, 1980) suggests that affective influences should resist attributional interventions. This is because the affective system responsible for preferences is separate from the cognitive system responsible for inferences; because early affective processes are automatic and therefore inaccessible to higher-order interventions; and because early affective responses are not represented as conscious feelings. We tested these explanations in two experiments that crossed subliminal affective priming with (mis)attribution manipulations. Both studies found reliable shifts in judgements of neutral stimuli as a result of primes even when subjects were aware that their feelings might not be diagnostic for the judgement at hand. Subjects did not report experiencing any feelings in response to the primes. The obtained affective priming effect was independent of response times and subjective reports of engaging in judgemental corrections. However, the priming effect did prove sensitive to the experimental instructions. We discuss the implications of these findings for the affective primacy hypothesis and the feelings-as-information model.

A Cognitive Map of People?s Online Risk Perceptions and Attitudes: An Empirical Study (PDF)

Article

Full-text available

Jan 2008

This research studied online risk perceptions under the well known psychometric paradigm. We developed a taxonomy of risks appropriate for e-commerce along with variables to characterize risks and understand risk perceptions. A pilot study with 153 subjects was used to collect data on which factor analysis was conducted to identify online risk dimensions and produce a factor space diagram. This diagram represents a "cognitive map" of people's online risk perceptions and attitudes. Results suggested that subjects distinguish risks using four dimensions: direness of consequences, ability to control or avoid risks, observability/immediacy of risk consequences, and unfamiliarity of risks. A larger study is underway based on the results of the pilot study. The findings of this research study help researchers to understand and predict people's reaction to risks posed by online hazards. In addition, this study attempted to transfer a proven and popular methodology of risk perception research, the psychometric paradigm, to a new domain, e-commerce. Moreover, this study added empirical data regarding online risk perceptions to the existing body of the relevant academic research.

Two systems of reasoning.

Article

Full-text available

Jan 2014

Steven A. Sloman

Notes that the stimulation from a classic paper in the heuristics and biases tradition does not come only from the insights provided into processes of judgment and decision making; it also comes from anxiety, from tension introduced between immediate intuition and more measured rational belief. The classic demonstrations often suggest 2 minds at work: one following the "natural assessment methods" like representativeness and availability; and the other working to form coherent, justifiable sets of beliefs and plans of action. Topics discussed in this chapter include the following: the empirical case for 2 systems of reasoning, 2 forms of computation, 2 forms of reasoning, related evidence, empirical conclusions. (PsycINFO Database Record (c) 2012 APA, all rights reserved)

Biased Assimilation and Attitude Polarization: The Effects of Prior Theories on Subsequently Considered Evidence

Article

Full-text available

Nov 1979

People who hold strong opinions on complex social issues are likely to examine relevant empirical evidence in a biased manner. They are apt to accept "confirming" evidence at face value while subjecting "disconfirming" evidence to critical evaluation, and, as a result, draw undue support for their initial positions from mixed or random empirical findings. Thus, the result of exposing contending factions in a social dispute to an identical body of relevant empirical evidence may be not a narrowing of disagreement but rather an increase in polarization. To test these assumptions, 48 undergraduates supporting and opposing capital punishment were exposed to 2 purported studies, one seemingly confirming and one seemingly disconfirming their existing beliefs about the deterrent efficacy of the death penalty. As predicted, both proponents and opponents of capital punishment rated those results and procedures that confirmed their own beliefs to be the more convincing and probative ones, and they reported corresponding shifts in their beliefs as the various results and procedures were presented. The net effect of such evaluations and opinion shifts was the postulated increase in attitude polarization. (28 ref) (PsycINFO Database Record (c) 2012 APA, all rights reserved)

Explaining the Enigmatic Anchoring Effect: Mechanisms of Selective Accessibility

Article

Full-text available

Sep 1997

Results of 3 studies support the notion that anchoring is a special case of semantic priming; specifically, information that is activated to solve a comparative anchoring task will subsequently be more accessible when participants make absolute judgments. By using the logic of priming research, in Study 1 the authors showed that the strength of the anchor effect depends on the applicability of activated information. Study 2 revealed a contrast effect when the activated information was not representative for the absolute judgment and the targets of the 2 judgment tasks were sufficiently different. Study 3 demonstrated that generating absolute judgments requires more time when comparative judgments include an implausible anchor and can therefore be made without relevant target information that would otherwise be accessible. (PsycINFO Database Record (c) 2012 APA, all rights reserved)

Incorporating the irrelevant: Anchors in judgments of belief and value.

Article

Full-text available

Reviews what is known about the causes and effects of anchoring. This chapter begins with some definitions, and then identifies some styled facts about this heuristic. Next, the authors examine 2 families of causes of anchoring. They close by reviewing other phenomena related to anchoring and potential applications. (PsycINFO Database Record (c) 2012 APA, all rights reserved)

Compliance with Information Security Policies: An Empirical Investigation

Article

Full-text available

Mar 2010

Information security was the main topic in this paper. An investigation of the compliance to information security policies were discussed. The author mentions that the insignificant relationship between rewards and actual compliance with information security policies does not make sense. Quite possibly this relationship results from not applying rewards for security compliance. Also mentions that based on the survey conducted, careless employee behavior places an organization's assets and reputation in serious jeopardy. The major threat to information security arises from careless employees who fail to comply with organizations' information security policies and procedures.

Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory

Article

Full-text available

Feb 2012
COMPUT SECUR

Princely Ifinedo

This research investigated information systems security policy (ISSP) compliance by drawing upon two relevant theories i.e. the theory of planned behavior (TPB) and the protection motivation theory (PMT). A research model that fused constituents of the aforementioned theories was proposed and validated. Relevant hypotheses were developed to test the research conceptualization. Data analysis was performed using the partial least squares (PLS) technique. Using a survey of 124 business managers and IS professionals, this study showed that factors such as self-efficacy, attitude toward compliance, subjective norms, response efficacy and perceived vulnerability positively influence ISSP behavioral compliance intentions of employees. The data analysis did not support perceived severity and response cost as being predictors of ISSP behavioral compliance intentions. The study’s implications for research and practice are discussed.

Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches

Article

Full-text available

Aug 2011
J ASSOC INF SYST

Employees' non-compliance with IS security procedures is a key concern for organizations. To tackle this problem, there exist several training approaches aimed at changing employees' behavior. However, the extant literature does not examine the elementary characteristics of IS security training, such as the ways in which IS security training differs from other forms of training. We argue that IS security training needs a theory that both lays down these elementary characteristics and explains how these characteristics shape IS security training principles in practice. We advance a theory that suggests that IS security training has certain elementary characteristics that separate it from other forms of training, and we set a fundamental direction for IS security training practices. Second, the theory defines four pedagogical requirements for designing and evaluating IS security training approaches. We point out that no existing IS security training approach meets all of these requirements and demonstrate how to design an IS security training approach that does meet these requirements. Implications for research and practice are discussed.

Implementing an information security awareness program

Article

May 2005

T.R. Peltier

An effective information security program cannot be implemented without implementing an employee awareness and training program to address policy, procedures, and tools. Learning consists of three key elements: 1. Awareness, which is used to stimulate, motivate, and remind the audience what is expected of them. 2. Training, the process that teaches a skill or the use of a required tool. 3. Education, the specialized, in-depth schooling required to support the tools or as a career development process.

Perception of information security

Article

Jan 2008

The affect heuristic

Article

Jan 2002

Two systems of reasoning

Article

Jan 2002

Steven A. Sloman

Judgment Under Uncertainty: Heuristics and Biases

Article

Apr 1982

Judgment Under Uncertainty: Heuristics and Biases

Article

Jan 1982

Many decisions are based on beliefs concerning the likelihood of uncertain events such as the outcome of an election, the guilt of a defendant, or the future value of the dollar. Occasionally, beliefs concerning uncertain events are expressed in numerical form as odds or subjective probabilities. In general, the heuristics are quite useful, but sometimes they lead to severe and systematic errors. The subjective assessment of probability resembles the subjective assessment of physical quantities such as distance or size. These judgments are all based on data of limited validity, which are processed according to heuristic rules. However, the reliance on this rule leads to systematic errors in the estimation of distance. This chapter describes three heuristics that are employed in making judgments under uncertainty. The first is representativeness, which is usually employed when people are asked to judge the probability that an object or event belongs to a class or event. The second is the availability of instances or scenarios, which is often employed when people are asked to assess the frequency of a class or the plausibility of a particular development, and the third is adjustment from an anchor, which is usually employed in numerical prediction when a relevant value is available.

When predictions fail: The dilemma of unrealistic optimism. In t. Gilovich, d. Griffin, and d. Kahneman (eds.) heuristics and biases: The psychology of human judgment (pp. 334-347)

Article

Jul 2002

Incorporating the irrelevant: Anchors

Article

Jul 2002

MINERVA-DM: A memory processes model for judgments of likelihood

Article

Jan 1999

This article describes an integration of most of the disparate likelihood judgment phenomena in behavioral decision making using a mathematical memory model. A new theory of likelihood judgments based on D. L. Hintzman's (1984, 1988) MINERVA2 memory model is described. The model, MINERVA-DM (DM = decision making), accounts for a wide range of likelihood judgment phenomena including frequency judgments, conditional likelihood judgments, conservatism, the availability and representativeness heuristics, base-rate neglect, the conjunction error, the validity effect, the simulation heuristic, and the hindsight bias. In addition, the authors extend the model to expert probability judgment and show how MINERVA-DM can account for both good and poor calibration (overconfidence) as a function of varying degrees of expertise. The authors' work is presented as a case study of the advantages of applying memory theory to study decision making.

Judgment under uncertainty: heuristics and biases. Biases in judgments reveal some heuristics of thinking under uncertainty

Article

Jan 1974

Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers

Article

Mar 1983

Unrealistic optimism on information security management

Article

Mar 2012
COMPUT SECUR

Information security is a critical issue that many firms face these days. While increasing incidents of information security breaches have generated extensive publicity, previous studies repeatedly expose low levels of managerial awareness and commitment, a key obstacle to achieving a good information security posture. The main motivation of our study emanates from this phenomenon that the increased vulnerability to information security breaches is coupled with the low level of managerial awareness and commitment regarding information security threats. We report this dissonance by addressing a cognitive bias called optimistic bias. Using a survey, we study if MIS executives are subject to such a bias in their vulnerability perceptions of information security. We find that they demonstrate optimistic bias in risk perception on information security domain. The extent of this optimistic bias is greater with a distant comparison target with fewer information sharing activities. This optimistic bias is also found to be related to perception of controllability with information security threats. In order to overcome the effects of optimistic bias, firms need more security awareness training and systematic treatments of security threats instead of relying on ad hoc approach to security measure implementation.

Behavioral Decision Theory Perspectives on Risk and Safety

Article

Aug 1984
ACTA PSYCHOL

Behavioral decision theory can contribute in many ways to the management and regulation of risk. In recent years, empirical and theoretical research on decision making under risk has produced a body of knowledge that should be of value to those who seek to understand and improve societal decisions. This paper describes several components of this research, which is guided by the assumption that all those involved with high-risk technologies as promoters, regulators, politicians, or citizens need to understand how they and the others think about risk. Without such understanding, well-intended policies may be ineffective, perhaps even counterproductive.

Imagining Can Heighten or Lower the Perceived Likelihood of Contracting a Disease: The Mediating Effect of Ease of Imagery

Article

Mar 1985
Pers Soc Psychol Bull

Prior research has demonstrated that imagining hypothetical future events may render those events subjectively more likely. The suggestion has been made that this effect is due to the increased availability in memory of the events imagined. To test directly this explanation in a health context, the present study examined the effects of both ease and difficulty of imagining contracting a disease on subjects' beliefs that the event would occur. Subjects were asked to imagine contracting a disease described either as having certain easy-to-imagine symptoms or difficult-to-imagine symptoms. Following this, subjects rated their ease of imagination and estimated the likelihood of contracting the disease. The results revealed that judgments of ease or difficulty of imagination paralleled judgments of the likelihood of contracting the disease. Those subjects who rated the disease as easy-to-imagine judged the disease as more likely to occur, whereas those who experienced difficulty in imagining the disease rated it as less likely to occur. The results are interpreted in terms of the availability heuristic and give direct support for and extend this principle by showing that trying to imagine difficult-to-construct or cognitively inaccessible events reduces likelihood estimates. Implications for preventive health programs are discussed.

Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers

Article

Jul 1983

Death by a thousand facts: Criticising the technocratic approach to information security awareness

Article

Mar 2012
Inform Manag Comput Secur

Purpose The purpose of this paper is to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science. Design/methodology/approach The concepts of bounded rationality, mental models and the extended parallel processing model are examined in an information security context. Findings There is a lack of formal methodologies in information security awareness for systematically identifying audience communication requirements. Problems with human behaviour in an information security context are assumed to be caused by a lack of facts available to the audience. Awareness, therefore, is largely treated as the broadcast of facts to an audience in the hope that behaviour improves. There is a tendency for technical experts in the field of information security to tell people what they think they ought to know (and may in fact already know). This “technocratic” view of risk communication is fundamentally flawed and has been strongly criticised by experts in safety risk communications as ineffective and inefficient. Practical implications The paper shows how the approach to information security awareness can be improved using knowledge from the safety field. Originality/value The paper demonstrates how advanced concepts from safety science can be used to improve information security risk communications.

Information Technology Security Training Requirements: A Role- and Performance-Based Model

Article

Apr 1998

The key to addressing people factors or competencies in information technology (IT) security is awareness, training, and education. Certainly the need for government-wide attention to this area of IT security has never been greater, so issuance of this publication, Information Technology Security Training Requirements: A Role- and Performance-Based Model, (Training Requirements) is especially timely. This document has been designed as a "living handbook" to have the longest useful life possible as the foundation of and structure for "do-able" training by Federal agencies.

Always on My Mind: Exploring How Frequent, Recent, and Vivid Television Portrayals Are Used in the Formation of Social Reality Judgments

Article

May 2010

Karyn Riddle

Prior research has found consistent support for the heuristic processing model of cultivation effects, which argues that cultivation effects can be explained by the availability heuristic. The present study represents an experimental test of the heuristic processing model and tests the impact of frequency, recency, and vividness on construct accessibility and social reality beliefs. 213 students participated in a 2 × 2 × 2 prolonged exposure experimental design varying the frequency of exposure to violent television programs, the level of vividness in the programs, and recency of exposure. Dependent measures were accessibility and social reality beliefs. Results showed that reaction times were largely unresponsive to the independent variables. Although there were no main effects for frequency on social reality beliefs, there was a significant interaction between frequency and vividness on beliefs: People watching vivid violent media gave higher estimates of the prevalence of crime and police immorality in the real world in the 3× viewing condition than those in the 1× viewing condition. In concluding, it is argued that this study has important implications for the heuristic processing model, cultivation theory, and research into vividness effects.

Representativeness Revisited: Attribute Substitution in Intuitive Judgment

Article

Jul 2002

A Quantitative Test of the Cultural Theory of Risk Perceptions: Comparison with the Psychometric Paradigm

Article

Sep 1998
RISK ANAL

This paper seeks to compare two frameworks which have been proposed to explain risk perceptions, namely, cultural theory and the psychometric paradigm. A structured questionnaire which incorporated elements from both approaches was administered to 129 residents of Norwich, England. The qualitative risk characteristics generated by the psychometric paradigm explained a far greater proportion of the variance in risk perceptions than cultural biases, though it should be borne in mind that the qualitative characteristics refer directly to risks whereas cultural biases are much more distant variables. Correlations between cultural biases and risk perceptions were very low, but the key point was that each cultural bias was associated with concern about distinct types of risks and that the pattern of responses was compatible with that predicted by cultural theory. The cultural approach also provided indicators for underlying beliefs regarding trust and the environment; beliefs which were consistent within each world view but divergent between them. An important drawback, however, was that the psychometric questionnaire could only allocate 32% of the respondents unequivocally to one of the four cultural types. The rest of the sample expressed several cultural biases simultaneously, or none at all. Cultural biases are therefore probably best interpreted as four extreme world views, and a mixture of qualitative and quantitative research methodologies would generate better insights into who might defend these views in what circumstances, whether there are only four mutually exclusive world views or not, and how these views are related to patterns of social solidarity, and judgments on institutional trust.

A Literature Review of the Anchoring Effect

Article

Feb 2011
J Soc Econ

The anchoring effect is one of the most robust cognitive heuristics. This paper reviews the literature in this area including various different models, explanations and underlying mechanisms used to explain anchoring effects. The anchoring effect is both robust and has many implications in all decision making processes. This review paper documents the many different domains and tasks in which the effect has been shown. It also considers mood and individual difference (ability, personality, information styles) correlates of anchoring as well as the effect of motivation and knowledge on decisions affected by anchoring. Finally the review looks at the applicants of the anchoring effects in everyday life.

Testing the Cultural Theory of Risk in France

Article

Nov 1998

Cultural Theory, as developed by Mary Douglas, argues that differing risk perceptions can be explained by reference to four distinct cultural biases: hierarchy, egalitarianism, individualism, and fatalism. This paper presents empirical results from a quantitative survey based on a questionnaire devised by Karl Dake to measure these cultural biases. A large representative sample (N = 1022) was used to test this instrument in the French social context. Correlations between cultural biases and perceptions of 20 social and environmental risks were examined. These correlations were very weak, but were statistically significant: cultural biases explained 6%, at most, of the variance in risk perceptions. Standard sociodemographic variables were also weakly related to risk perceptions (especially gender, social class, and education), and cultural biases and sociodemographic variables were themselves inter correlated (especially with age, social class, and political outlook). The authors compare these results with surveys conducted in other countries using the same instrument and conclude that new methods, more qualitative and contextual, still need to be developed to investigate the cultural dimensions of risk perceptions. The paper also discusses relationships between perceptions of personal and residual risk, and between perceived risk and demand for additional safety measures. These three dimensions were generally closely related, but interesting differences were observed for some risk issues.

Security Design Based on Social and Cultural Practice: Sharing of Passwords

Conference Paper

Jan 1970
Lect Notes Comput Sci

We draw on a qualitative study of 108 people to examine the routine sharing of passwords for online banking among married and de facto couples, Aboriginal users and people with disability in Australia. The sharing of passwords goes against current banking authentication systems and consumer protection laws that require customers not to reveal their access codes to anybody, including family members. The everyday violation of these security requirements results from the lack of fit between security design and social and cultural practice, rather than a lack of security awareness. We argue for the need to go beyond individualistic user-centered design, so that social and cross-cultural practices are at the centre of the design of technologies. The need for a social and culturally centered approach to design is even more important when dealing with different notions of privacy across cultures and a culture of shared use in public and private spaces.

Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness

Article

May 2009
DECIS SUPPORT SYST

Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.

A safety approach to information security communications

Article

Nov 2009
Inform Secur Tech Rep

Geordie Stewart

Safety risk communications is a discipline which is significantly more mature than information security risk communications. This article reviews relevant topics in safety communications and discusses their potential application to information security.

Risky business: What we have yet to learn about risk management

Article

Sep 2000
J SYST SOFTWARE

Shari Lawrence Pfleeger

This paper examines the way in which software practitioners are taught to perform risk management, and compares it with risk management in other fields. We find that there are three major problems with risk management: false precision, bad science, and the confusion of facts with values. All of these problems can lead to bad decisions, all in the guise of more objective decision-making. But we can learn from these problems and improve the way we do risk management.

The Affect Heuristic

Article

Mar 2007
EUR J OPER RES

This paper introduces a theoretical framework that describes the importance of affect in guiding judgments and decisions. As used here, “affect” means the specific quality of “goodness” or “badness” (i) experienced as a feeling state (with or without consciousness) and (ii) demarcating a positive or negative quality of a stimulus. Affective responses occur rapidly and automatically—note how quickly you sense the feelings associated with the stimulus word “treasure” or the word “hate”. We argue that reliance on such feelings can be characterized as “the affect heuristic”. In this paper we trace the development of the affect heuristic across a variety of research paths followed by ourselves and many others. We also discuss some of the important practical implications resulting from ways that this heuristic impacts our daily lives.

The Psychology of Security

Conference Paper

Jun 2008

Bruce Schneier

Security is both a feeling and a reality. And they’re not the same. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, it’s not even hard; insurance companies do it all the time.

It won't happen to me: Promoting secure behaviour among internet users

Article

Nov 2010
COMPUT HUM BEHAV

Fraudulent activity on the Internet, in particular the practice known as ‘Phishing’, is on the increase. Although a number of technology focussed counter measures have been explored user behaviour remains fundamental to increased online security. Encouraging users to engage in secure online behaviour is difficult with a number of different barriers to change. Guided by a model adapted from health psychology this paper reports on a study designed to encourage secure behaviour online. The study aimed to investigate the effects of education via a training program and the effects of risk level manipulation on subsequent self-reported behaviour online. The training program ‘Anti-Phishing Phil’ informed users of the common types of phishing threats and how to identify them whilst the risk level manipulation randomly allocated participants to either high risk or low risk of becoming a victim of online fraud. Sixty-four participants took part in the study, which comprised of 9 males and 55 females with an age range of 18–43years. Participants were randomly allocated to one of four experimental groups. High threat information and/or the provision of phishing education were expected to increase self-reports of secure behaviour. Secure behaviour was measured at three stages, a baseline measure stage, an intention measure stage, and a 7-day follow-up measure stage. The results showed that offering a seemingly tailored risk message increased users’ intentions to act in a secure manner online regardless of whether the risk message indicated they were at high or low risk of fraud. There was no effect of the training programme on secure behaviour in general. The findings are discussed in relation to the model of behaviour change, information provision and the transferability of training.

Implementing an Information Security Awareness Program

Article

May 2005

Thomas R. Peltier

An effective information security program cannot be implemented without implementing an employee awareness and training program to address policy, procedures, and tools. Learning consists of three key elements: 1. Awareness, which is used to stimulate, motivate, and remind the audience what is expected of them.2. Training, the process that teaches a skill or the use of a required tool.3. Education, the specialized, in-depth schooling required to support the tools or as a career development process.

Designing a Security Awareness Program: Part 1

Article

Jan 2001

Susan Hansche

This article represents the first of a two-part series on the importance of providing both security awareness and information systems security training to all employees, regardless of their job responsibilities. In this first article, the focus is on the first step of providing computer and information system security—developing and implementing an effective security awareness program. Readers may ask why security awareness is not considered the same as training. The simple answer is because the desired outcome of each is different.