You are here: Home Contents V5 N3 V5N3_Crossler.html
Personal tools

The Effects of Security Education Training and Awareness Programs and Individual Characteristics on End User Security Tool Usage



Full text

Journal of Information System Security
Volume 5, Number 3 (2009)
Pages 322
ISSN 1551-0123
Robert E. Crossler — University of Texas Pan American, USA
France Bélanger — Virginia Polytechnic Institute and State University, USA
Information Institute Publishing, Washington DC, USA




The security behaviors of individuals are an important aspect of the overall goal of creating a secure computing environment. Recent surveys have shown that individuals’ security behaviors are one of the greatest security risks for companies. The purpose of this research is to explore the effects some individual characteristics and a security education, training, and awareness program have on security tool usage by individuals. This is accomplished by using an experimental research approach where an initial survey was conducted, different instruction levels were given to different groups, and a post-treatment survey was conducted. Results suggest that a person’s level of computer self-efficacy, along with gender, significantly impacts his or her use of security tools. Results also show that education in the use of security tools is necessary in order to improve usage. The implications of these findings are discussed.




Information Security, Training, Experiment, Computer Self-efficacy, Gender




Al-Ayed, A., Furnell, S. M., Zhao, D., and Dowland, P. S. (2005), “An Automated Framework for Managing Security Vulnerabilities,” Information Management & Computer Security, 13 (2/3): 156-166.

Bandura, A. (1977), “Self-efficacy; Toward a Unifying Theory of Behavioral Change,” Psychological Review, 84 (2): 191-215.

Bandura, A. (1978), “Reflections on Self-efficacy,” in: Advances in Behavioral Research and Therapy (1), ed. S. Rachman, Oxford UK: Pergamon Press.

Bandura, A. (1982), “Self-efficacy Mechanism in Human Agency,” American Psychologist, 37 (2): 122-147.

Bandura, A. (1986), Social Foundations of Thought and Action, Englewood Cliffs, NJ: Prentice Hall.

Brown, S. D., Lent, R. W., and Larkin, K. C. (1989), “Self-Efficacy as a Moderator of Scholastic Aptitude-Academic Performance Relationships,” Journal of Vocational Behavior, 35 (1): 64-75.

Burkhardt, M. E., and Brass, D. J. (1990), “Changing Patterns or Patterns of Change: The Effects of a Change in Technology on Social Structure and Power,” Administrative Science Quarterly, 35 (1): 104-127.

Busch, T. (1995), “Gender differences in self-efficacy and attitudes toward computers,” Journal of Educational Computing Research, 12 (2): 147-158.

Cassidy, S., and Eachus, P. (2002), “Developing the computer user self-efficacy (CUSE) scale: Investigating the relationship between computer self-efficacy, gender and experience with computers,” Journal of Educational Computing Research, 26 (2): 133-153.

CERT (2002), “CERT Coordination Center - Home Computer Security,” Accessed February 24, 2009, available at

Compeau, D., Higgins, C. A., and Huff, S. (1999), “Social Cognitive Theory and Individual Reactions to Computing Technology: A Longitudinal Study,” MIS Quarterly, 23 (2): 145-158.

Compeau, D. R., and Higgins, C. A. (1995), “Computer Self-Efficacy: Development of a Measure and Initial Test,” MIS Quarterly, 19 (2): 189-211.

Delcourt, M. A. B., and Kinzie, M. B. (1993), “Computer Technologies in Teacher Education: The Measurement of Attitudes and Self-Efficacy,” Journal of Research and Development in Education, 27 (1): 35-41.

Deloitte (2007), “2007 Global Security Survey: The Shifting Security Paradigm,” Accessed January 16, 2008, available at

Dhillon, G., and Backhouse, J. (2000), “Information System Security Management in the New Millennium,” Communications of the ACM, 43 (7): 125-128.

Dhillon, G., and Backhouse, J. (2001), “Current Directions in IS Security Research: Towards Socio-Organizational Perspectives,” Information Systems Journal, 11 (2): 127-153.

Durndell, A., and Haag, Z. (2002), “Computer self efficacy, computer anxiety, attitudes towards the Internet and reported experience with the Internet, by gender, in an East European sample,” Computers in Human Behavior, 18 (5): 521-535.

Fagan, M. H., Neill, S., and Wooldridge, B. R. (2003), “An Empirical Investigation into the Relationship between Computer Self-Efficacy, Anxiety, Experience, Support and Usage,” The Journal of Computer Information Systems, 44 (2): 95-104.

Furnell, S. M., Jusoh, A., and Katsabas, D. (2006), “The Challenges of Understanding and Using Security: A Survey of End-Users,” Computers & Security, 25 (1): 27-35.

Gefen, D., and Straub, D. W. (1997), “Gender Differences in the Perception and Use of E-mail: An Extension to the Technology Acceptance Model,” MIS Quarterly, 21 (4): 389-400.

Gist, M. E., Schwoerer, C., and Rosen, B. (1989), “Effects of Alternative Training Methods on Self-Efficacy and Performance in Computer Software Training,” Journal of Applied Psychology, 74 (6): 884-891.

Gopal, R. D., and Sanders, G. L. (1997), “Preventive and Deterrent Controls for Software Piracy,” Journal of Management Information Systems, 13 (4): 29-47.

Guth, R. A., and Vara, V. “Software Makers Launch Simpler Anti-Virus Services; For a Fee, New Programs Let Users Avoid Hassles of Constant Manual Updates,” in: Wall Street Journal, February 15, 2006, p. D.1.

Henderson, R. D., Deane, F. P., and Ward, M. J. (1995), “Occupational Differences in Computer-Related Anxiety: Implications for the Implementation of a Computerized Patient Management Information System,” Behaviour & Information Technology, 14 (1): 23-31.

Hill, T., Smith, N. D., and Mann, M. F. (1987), “Role of Efficacy Expectations in Predicting the Decision to Use Advanced Technologies: The Case of Computers,” Journal of Applied Psychology, 72(2): 307-313.

Hunt, N. P., and Bohlin, R. M. (1993), “Teacher Education and Students’ Attitudes Toward Using Computers,” Journal of Research on Computing in Education, 25: 487-497.

Johnson, R. D., and Marakas, G. M. (2000), “Research Report: The Role of Behavioral Modeling in Computer Skills Acquisition - Toward Refinement of the Model,” Information Systems Research, 11 (4): 403-417.

Kankanhalli, A., Teo, H.-H., Tan, B. C. Y., and Wei, K.-K. (2003), “An Integrative Study of Information Systems Security Effectiveness,” International Journal of Information Management, 23 (2): 139-154.

Medlin, B. D., and Cazier, J. A. (2005), “An Investigative Study: Consumers Password Choices on an E-Commerce Site,” Journal of Information Privacy & Security, 1 (4): 33-52.

Morrow, P. C., Prell, E. R., and McElroy, J. C. (1986), “Attitudinal and Behavioral Correlates of Computer Anxiety,” Psychological Reports, 59 (3): 1199-1204.

NIST (1995), SP 800-12. An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology.

NIST (1998), SP 800-16. Information Technology Security Training Requirements: A Role- and Performance-Based Model, National Institute of Standards and Technology.

NIST (2003), SP 800-50. Building an Information Technology Security Awareness and Training Program, National Institute of Standards and Technology.

Nunnally, J. (1978), Psychometric Theory, McGraw Hill, New York.

Panko, R. R. (2004), Corporate Computer and Network Security, Prentice Hall, Upper Saddle River, New Jersey.

Richardson, R. “2007 CSI Computer Crime and Security Survey,” Computer Security Institute, 2007.

Schultz, E. (2004), “Security Training and Awareness - Fitting a Square Peg in a Round Hole,” Computers & Security, 23 (1): 1-2.

Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. (2005), “Analysis of End User Security Behaviors,” Computers & Security, 24 (2): 124-133.

Stephens, P. (2005), “A Decision Support System for Computer Literacy Training at Universities,” The Journal of Computer Information Systems, 46 (2): 33-44.

Straub, D. W. (1990), “Effective IS Security: An Empirical Study,” Information Systems Research, 1 (3): 255-276.

Tamimi, N., and Sebastianelli, R. (2007), “Understanding eTrust,” Journal of Information Privacy & Security, 3 (2): 3-17.

Thatcher, J. B., and Perrewe, P. L. (2002), “An Empirical Examination of Individual Traits as Antecedents to Computer Anxiety and Computer Self-Efficacy,” MIS Quarterly, 26 (4): 381-396.

Thong, J. Y. L., Hong, W., and Tam, K. Y. (2004), “What Leads to User Acceptance of Digital Libraries?,” Communications of the ACM, 47 (11): 79-83.

Venkatesh, V., and Morris, M. G. (2000), “Why Don’t Men Ever Stop to Ask for Directions? Gender, Social Influence, and Their Role in Technology Acceptance and Usage Behavior,” MIS Quarterly, 24 (1): 115-139.

Venkatesh, V., Morris, M. G., and Ackerman, P. L. (2000), “A Longitudinal Field Investigation of Gender Differences in Individual Technology Adoption Decision-Making Processes,” Organizational Behavior and Human Decision Processes, 83 (1): 33-60.

Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D. (2003), “User Acceptanceof Information Technology: Toward a Unified View,” MIS Quarterly, 27 (3): 425-478.

Webster, J., and Martocchio, J. J. (1995), “The Differential Effects of Software Training Previews on Training Outcomes,” Journal of Management, 21 (4): 757-787.

Whitman, M. E., Perez, J., and Beise, C. (2001), “A Study of User Attitudes Toward Persistent Cookies,” The Journal of Computer Information Systems, 41 (3): 1-7.

Yi, M. Y., and Davis, F. D. (2001), “Improving Computer Training Effectiveness for Decision Technologies: Behavior Modeling and Retention Enhancement,” Decision Sciences, 32 (3): 521-544.

Yi, M. Y., and Davis, F. D. (2003), “Developing and Validating an Observational Learning Model of Computer Software Training and Skill Acquisition,” Information Systems Research, 14 (2): 146-169.

Yi, Y., Wu, Z., and Tung, L. L. (2005), “How Individual Differences Influence Technology Usage Behavior? Toward an Integrated Framework,” The Journal of Computer Information Systems, 46 (2): 52-63.

Zviran, M., and Erlich, Z. (2006), “Identification and Authentication: Technology and Implementation Issues,” The Communications of the Association for Information Systems, 17.