The development of a training program that educates organizational employees on information security related items can assist an organization in reducing information security risks. However, organizations typically rely on and expend financial resources on technological means to protect organizational information (Spears & Barki, 2010). In an article written by Chen, Shaw, and Yang (2006), employees are the most important factor in reducing risks due to employees being the weakest link in information security (Hu, Dinev, Hart, & Cooke, 2012). Moreover, the protection of organizational information is the responsibility of the organization due to regulations, best practices, and organizational policies. A systematic approach undertaken by organizations to assist in the protection of informational assets is information security awareness and training programs. The incorporation of information security training helps ensure users understand the serious impacts of network security, which includes the protection of information assets. Additionally, the implementation and execution of a training program for organizational employees and more specifically information technology (IT) employees may assist employees in the understanding of security risks. In this paper, we present educational deployment methods to educate organizational staff and strategies used to implement training. Furthermore, methods used to transform training methods and a critique of security approaches designed to reduce and improve security risks.
Educational Deployment Methods
Organizations employ various methods to deploy training programs regarding information security to personnel in efforts to highlight security risks and safeguard organizational information. Based upon a special publication distributed by the National Institute of Standards and Technology (NIST), implementation models for training typically reside within the following three categories: centralized, partially decentralized, and decentralized (Wilson & Hash, 2003). This section will discuss several methods used to educate employees on information security related topics which include instructor led training, web-based training, and computer-based training. Although not discussed in this paper, newsletters, videotapes, teleconferences, and posters are other methods used to educate personnel. Regardless of the deployment method used, the result is to educate users and for user to have a security-based mindset when conducting business operations (White, Hewitt, & Kruck, 2013).
The first method discussed to education employees on items related to information security topics is training conducted by an instructor. The ability of an organization to provide instructor-led training assists in the transference of information security knowledge and provides reinforcement of the topics discussed during training (Karjalainen & Siponen, 2011). To emphasize information security...