Walden University ScholarWorks Walden Dissertations and Doctoral Studies Walden Dissertations and Doctoral Studies Collection 2020 Exploring Cybersecurity Awareness and Training Strategies To Protect Information Systems and Data Michael Hanna Walden University Follow this and additional works at: https://scholarworks.edu/dissertations Part of the Databases and Information Systems Commons, and the Social Psychology Commons This Dissertation is brought to you for free and open access by the Walden Dissertations and Doctoral Studies Collection at ScholarWorks. It has been accepted for inclusion in Walden Dissertations and Doctoral Studies by an authorized administrator of ScholarWorks. For more information, please contact ScholarWorks@waldenu. Walden University College of Management and Technology This is to certify that the doctoral study by Michael Hanna has been found to be complete and satisfactory in all respects, and that any and all revisions required by the review committee have been made.
Review Committee Dr. Bob Duhainy, Committee Chairperson, Information Technology Faculty Dr. Constance Blanson, Committee Member, Information Technology Faculty Dr. Gary Griffith, University Reviewer, Information Technology Faculty Chief Academic Officer and Provost Sue Subocz, Ph.
Walden University 2020 Abstract Exploring Cybersecurity Awareness and Training Strategies To Protect Information Systems and Data by Michael Mohsen Hanna MS, Walden University, 2019 MS, University of Calgary, 2011 BS, University of Calgary, 2005 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University June 2020 Abstract Ineffective security education, training, and awareness (SETA) programs contribute to compromises of organizational information systems and data. Inappropriate actions from users due to ineffective SETA programs may result in legal consequences, fines, reputational damage, adverse impacts on national security, and criminal acts. Grounded in social cognitive theory, the purpose of this qualitative multiple case study was to explore strategies hospitality organizational information technology (IT) leaders utilized to implement SETA successfully. The participants were organizational IT leaders from four organizations in Hampton Roads, Virginia.
Data collection was performed using telephone and video teleconference interviews with organizational IT leaders (n = 6) as well as secondary data analysis of documents related to SETA programs (n = 31). Thematic analysis was used to analyze and code the data, which resulted in three themes. Consistent, persistent, and relevant awareness and training was the first theme to emerge. Awareness and training based on threats, vulnerabilities, and risks was the second theme to emerge.
Disclosing expectations and taking appropriate actions towards employees based on behavior was the third theme to emerge. A recommendation is that SETA should be performed regularly throughout the year while using employee rewards and punishments to promote desired behavior. The findings of this study may promote positive social change by providing information to IT leaders to develop SETA programs and reduce security risks within organizations across various industries. Improved SETA may contribute to improved cyber practices at home and better protect family members.
Exploring Cybersecurity Awareness and Training Strategies To Protect Information Systems and Data by Michael Mohsen Hanna MS, Walden University, 2019 MS, University of Calgary, 2011 BS, University of Calgary, 2005 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University June 2020 Dedication I dedicate this study to my father, Moe, my mother, Nana, and my son, Matthew. First, to my father, who passed away two years before completing this study. He was a PhD in Chemical Engineering and always emphasized the importance of education. He always had an analogy for everything, and many of them related to education.
When I completed my bachelor’s degree, he once joked with me and said he would be impressed when I finished a doctorate degree. I know he was always proud of me, but this accomplishment means so much to me. He taught me the meaning of preserving through the greatest of challenges and the importance of education. I will never forget you, and I will always love you dad.
To my mother, she always taught me the importance of realizing there is more to life than just work and school. She was the other half to my development, and I would not be the man I am today without her. Last, I would like to dedicate this to my one-year-old son. Even though my son cannot read yet, I want him to understand the importance of pushing through the challenges life presents us with.
Matthew, I promise you that I will always be there for you. Acknowledgements I could not have made it to this point of my academic and professional life without my incredible wife, Ryann. My wife and I have gone through the challenges of deployment, building a life together with our son, and completing doctoral programs together. We have both sacrificed so much to get to this point, and I couldn’t have done this without you.
Your love, coaching, and support have meant so much to me from the moment we met. Once again, to my son, Matthew. Just watching you grow up and develop throughout the early stages of your life, you have really shown me what is important in life. I hope the example I try to make and the value I place on education, grit and resiliency are concepts my son takes with him throughout his life.
My ability to persevere came from my parents, and I am so thankful that they have had my back my entire life. I must also thank my doctoral committee for the support and guidance they have provided me. Thank you Dr. Blanson, and Dr.
This has been one of the most significant journeys of my life and it would have not been possible without my doctoral program committee. Table of Contents List of Tables .v Section 1: Foundation of the Study.1 Background of the Problem .2 Nature of the Study .5 Interview/Survey Questions .7 Assumptions, Limitations, and Delimitations. 9 Significance of the Study .10 Contribution to Information Technology Practice. 10 Implications for Social Change.
10 A Review of the Professional and Academic Literature .11 Social Cognitive Theory. 13 Components and Modes of Human Agency. 16 Triadic Reciprocal Determinism Model and Constructs. 20 i Contrasting and Similar Theories.
30 Cybersecurity Awareness and Training. 34 Human Factor in Cybersecurity. 41 Security Education, Training, and Awareness Research. 48 Transition and Summary .49 Section 2: The Project .52 Role of the Researcher .56 Research Method and Design.
63 Population and Sampling. 75 Data Collection Technique. 79 Data Organization Techniques. 81 Data Analysis Technique .83 Reliability and Validity.
90 Transition and Summary .90 Section 3: Application to Professional Practice and Implications for Change .92 Overview of Study .92 Presentation of the Findings.92 Theme 1: Consistent, Persistent and Relevant Training and Awareness. 93 Theme 2: Awareness and Training Based Off Threats, Risks and Vulnerabilities. 99 Theme 3: Consequences and Disclosed Expectations. 105 Applications to Professional Practice .112 Implications for Social Change .116 Recommendations for Action .118 Recommendations for Further Study .122 Summary and Study Conclusions .123 Appendix A: Interview Protocol .174 Appendix B: Interview Questions .177 Appendix C: Letter of Invitation.178 iii Appendix D: Informed Consent Form .180 iv List of Tables Table 1.
Frequency of First Major Theme in Participant Responses and Documentation……………………………………………………………………. Frequency of Second Major Theme in Participant Responses and Documentation……………………………………………………………. Frequency of Third Major Theme in Participant Responses and Documentation……………………………………………………………………108 v 1 Section 1: Foundation of the Study In this section, I will present the background of the problem, problem statement, purpose statement, and nature of the study. I will delineate the assumptions, limitations, and delimitations of the study.
Also, I will present the research question, conceptual framework, and significance of the study. Background of the Problem Organizations utilize a combination of technical and nontechnical security measures to protect information systems and data through a multilayered, defense-in- depth strategy (Conteh & Schmick, 2016). According to Conteh and Schmick (2016), a defense-in-depth strategy consists of security policies, network guidance, audits and compliance, technical solutions, physical security, and security education, training, and awareness (SETA). The weakest layer in an organization’s defense-in-depth strategy is related to the user’s unawareness of cybersecurity best practices, cybersecurity threats, and vulnerabilities (de Bruijn & Janssen, 2017).
The purpose of cybersecurity awareness and training programs are to ultimately protect an organization from the harm posed by cybersecurity vulnerabilities, threats, and attacks by improving employee education, training, and awareness (Beuran et al. The need for better cybersecurity awareness and training strategies are demonstrated by 58% of employees not knowing how to protect an organization from malicious activity, and 98% incorrectly believing security responsibilities are delegated to the system administrators (Hadlington, 2017). Effective SETA strategies are needed to protect users and organizational information systems and data. 2 Problem Statement Humans are the weakest layer in an organization’s cybersecurity program, and their unawareness contributes to an organization’s vulnerabilities (de Bruijn & Janssen, 2017).
The need for better cybersecurity awareness and training strategies are demonstrated by 58% of employees not knowing how to protect an organization from malicious activity, and 98% incorrectly believing security responsibilities are delegated to the system administrators (Hadlington, 2017). The general information technology (IT) problem is that ineffective employee cybersecurity awareness and training programs contribute to compromises of organizational information systems and data. The specific IT problem is that some corporate hospitality IT leaders lack strategies to implement cybersecurity awareness and training programs to protect organizational information systems and data. Purpose Statement The purpose of this qualitative exploratory multiple case study was to explore strategies used by corporate hospitality IT leaders to implement cybersecurity awareness and training programs to protect organizational information systems and data.
The population consisted of corporate hospitality IT leaders including the chief executive officer (CEO), chief operating officer (COO), general managers, chief information officer (CIO), chief information security officer (CISO), and IT directors in Hampton Roads, Virginia, who have implemented cybersecurity awareness and training strategies within their organization. Implications for positive social change include the potential improvement to awareness and training programs that contribute to better cybersecurity 3 practices, which may protect national security, guard critical infrastructure, and prevent disclosure of sensitive information due to compromise that may harm citizens. The improvement of cybersecurity awareness and training also has the potential of protecting these same employees and their families, including children at home, as a result of effective education. The lessons learned at work through awareness and training programs can be retaught at home, which may protect families from crime and nefarious intent.
There is also the potential to contribute new knowledge and insights that may lead to discovery, such as new strategies and tactical level implementations that may protect organizations from damaging events and ultimately improve the cybersecurity culture at a macrolevel. Nature of the Study My intent in this qualitative exploratory multiple case study was to explore organizational cybersecurity awareness and training strategies used to educate employees on practices to protect organizational information systems and data. Multiple case studies enable researchers to acquire a deeper understanding of a phenomenon (Zach, 2006). My intent in this study was to provide depth in understanding the strategies of cybersecurity awareness and training used to educate employees on practices to protect organizational information systems and data.
A qualitative research method was suitable for this study because I focused on multiple organizations and their successful implementation of cybersecurity awareness and training programs. Qualitative research promotes the generation of detailed and rich responses to intricate subjects (Cope, 2014). Therefore, I decided not to collect numerical data to evaluate my research questions, which is 4 explicitly required in a quantitative study. A quantitative study is appropriate when numerical data is used to describe a phenomenon (Carr, 1994).
Mixed methods research encompasses the incorporation of qualitative and quantitative methods and should only be utilized if the combination of methods better explains the research question than a single approach alone (Halcomb, 2019). Because I intended to explore this phenomenon and not describe it with numerical data, quantitative research was not appropriate for this study.