The positive outcomes of information security awareness training in companies - A case study

One of the key factors in successful information security management is the effective compliance of security policies and proper integration of “people”, “process” and “technology”. When it comes to the issue of “people”, this effectiveness can be achieved through several mechanisms, one of which is the security awareness training of employees. However, the outcomes should also be measured to see how successful and effective this training has been for the employees. In this study, an information security awareness project is implemented in a company both by training and by subsequent auditing of the effectiveness and success of this training (which focussed on password usage, password quality and compliance of employees with the password policies of the company). The project was conducted in a Turkish company with 2900 white-collar employees. Each employee took information security training including password usage. Also, there were several supporting awareness campaigns such as educational posters, animations and e-messages on the company Intranet, surveys and simple online quizzes. The project was carried out over a 12 month period and three password security strength audits were made during this period. The results were comparatively and statistically analysed. The results show us the effectiveness of the project and the impact of human awareness on the success of information security management programmes in companies. This study gives us some crucial results, facts and methods that can also be used as a guideline for further similar projects. a 2010 Elsevier Ltd. All rights reserved.