Towards A Needs Assessment Process Model For Security, Education, Training And Awareness Programs: An Action Design Research Study

TLDR: This study aims to close the gap in generic process models for conducting SETA needs assessments by suggesting a systematic approach to capturing, evaluating, and depicting the current state of employees’ security awareness and behavior.

Abstract: Employees are considered to be the weakest link in information systems (IS) security. Many companies and organizations started to implement security education, training and awareness (SETA) programs. These provide their employees awareness of information security risks and the necessary skills to protect a companies’ or organizations’ information assets. To ensure that SETA programs are efficiently aligned to an organization’s objectives, it is essential to identify the most important areas on which to concentrate. In research, there is a lack of generic process models for conducting SETA needs assessments. In this study, we aim to close this gap by suggesting a systematic approach to capturing, evaluating, and depicting the current state of employees’ security awareness and behavior. Actual behavior is evaluated by determining the target values and measuring actual values with respect to security metrics. In order to contribute to both, practical and academic knowledge, we used an action design research (ADR) approach to draw general design principles from organizational intervention within an international engineering company.