Article Preview
Top1. Introduction
Institutions of higher education collect, store and disseminate information that is protected by state and federal regulations including the Family Education Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Protections of Pupil Rights Amendment (PPRA). In response, higher education organizations are tasked with guiding their institutions in the quest to safeguard data, information systems, and networks; protect the privacy of the higher education community; and ensure that information security is an integral part of campus activities and business processes (Grajek, 2013).
The development and implementation of an information systems (IS) security policy is a mechanism used by institutions of higher education to guide business processes, organizational tasks and activities, and to ensure compliance to state and federal laws and regulations. It has been reported extensively that employees, also known as insiders, do not comply with IS security policies (Bulgurcu et al., 2010; Johnson and Warkentin, 2010; Myyry et al., 2009; Vance and Siponen, 2012; Straub, 1990; Willison and Warkentin, 2013). If users do not comply, institutions of higher education could be at serious risk of regulatory liabilities and lawsuits (Myyry et al., 2009; San Nicolas-Rocca and Olfman, 2013; Warkentin et al., 2011).
IS security continues to be a managerial concern, and has been identified as one of the top challenges facing institutions of higher education (Grajek, 2013). According to Privacy Rights Clearing House (2013), approximately 200 institutions of higher education reported data breaches between 2010 and April, 2013. Of these incidents, approximately 80 were due to end user activity, including the unintended disclosure of and/or an insider’s explicit intent to share sensitive information.
In other reports, users have directly or indirectly caused over half of all reported security breaches (Dhillon and Moores, 2001). Insider threat continues to be a significant challenge, captures a great deal of public attention (Willison and Warkentin, 2013; Shaw and Stock, 2011), and methods to improve compliance are needed.
To improve compliance, organizations have relied on IS security education, training and awareness (SETA) programs. Although it is widely accepted that these programs are important for maintaining the effectiveness of information security and privacy techniques and procedures for user compliance (Warkentin et al., 2011; Shaw and Stock, 2011), it is also important to recognize that many of these programs have been considered useless (Karjalainen and Siponen, 2011) or have been found ineffective (Albrechtsen, 2007).
The success of SETA programs depends on the ability of the training facilitator to engage trainees (Cone et al., 2007). When the instructor is able to effectively communicate the applicability and practical purpose of the material to be mastered, as distinguished from abstract or conceptual learning, the learning retention rates and the subsequent transference of the new knowledge or skill to the trainees is enhanced (NIST SP 800-16, 1998). For IS security programs aimed at user compliance, this essentially means that the training method can affect the transference of knowledge to trainees, which can therefore influence the effectiveness of IS security training and awareness programs.