Deliver security awareness training, then repeat

Tapiwa Gundu, Stephen Flowerday, Karen Renaud

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

3 Citations (Scopus)


Organisational information security policy contents are disseminated by awareness and training drives. Its success is usually judged based on immediate post-training self-reports which are usually subject to social desirability bias. Such self-reports are generally positive, but they cannot act as a proxy for actual subsequent behaviours.This study aims to formulate and test a more comprehensive way of measuring the efficacy of these awareness and training drives, called ASTUTE. We commenced by delivering security training. We then assessed security awareness (post-training), and followed up by measuring actual behaviours. When we measured actual behaviours after a single delivery of security awareness training, the conversion from intention to behaviour was half of the desired 100%. We then proceeded to deliver the training again, another two times.The repeated training significantly reduced the gap between self-reported intention and actual secure behaviours.
Original languageEnglish
Title of host publication2019 Conference on Information Communications Technology and Society (ICTAS)
Place of PublicationPiscataway, New Jersey
Number of pages6
ISBN (Electronic)9781538673652
ISBN (Print)9781538673669
Publication statusPublished - 2 May 2019
EventInformation Communications Technology and Society Conference - Durban, South Africa
Duration: 6 Mar 20197 Mar 2019


ConferenceInformation Communications Technology and Society Conference
Abbreviated titleIEEE ICTAS
CountrySouth Africa
Internet address


  • training
  • information security
  • electrical resistance meausrement
  • standards
  • logistics
  • reliability

Fingerprint Dive into the research topics of 'Deliver security awareness training, then repeat'. Together they form a unique fingerprint.

Cite this