Kim, Bo-ra (Research Fellow, Barun ICT Research Center, Yonsei University)

Lee, Jong-Won (Graduate School of Information, Yonsei University)

Kim, Beom-Soo (Professor, Graduate School of Information, Yonsei University)


In the past, organizations tended to focus on physical and technical aspects of managing corporate's information security (IS), rather than the aspect of human resources related to IS. Recently, increasing security incidents caused by organization members raise the issue of how to improve employees' compliance with security policies. This study conducted a field experiment to examine the effect of security awareness training and technical security services on employee’s security behaviors. In Study 1, the number of spam opening cases were measured right after the IS training and re-measured three months later. In Study 2, a spam warning message was provided and then the number of employees’ spam opening cases were counted to find out the effect of security services. It was found that both the IS training and the technical IS service were effective; they significantly decreased spam opening rates. However, the training effect did not last
longer than three months. These findings suggest that organizations need to consider providing regular training programs and supplementary technical services to improve employees' compliance with security policies.

Keywords: information security, security awareness training, technical security service, security policy compliance, field experiment, spam

Informatization Policy, 2018, 25(1) : 99-114