Deliver security awareness training, then repeat

Gundu, Tapiwa and Flowerday, Stephen and Renaud, Karen; (2019) Deliver security awareness training, then repeat. In: 2019 Conference on Information Communications Technology and Society (ICTAS). IEEE, ZAF, pp. 106-111. ISBN 9781538673652 (

[thumbnail of Gundu-etal-IEEE-ICTAS2019-Deliver-security-awareness-training-then-repeat]
Text. Filename: Gundu_etal_IEEE_ICTAS2019_Deliver_security_awareness_training_then_repeat.pdf
Accepted Author Manuscript

Download (1MB)| Preview


Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.


Gundu, Tapiwa, Flowerday, Stephen and Renaud, Karen ORCID logoORCID:;