SECReT 2010 PhD projects
Find a SECReT supervisor
Information for overseas students
View SECReT animation
Download SECReT brochure

Engineering IT risk awareness, education and training

7 March 2012

Iacovos Kirlappos

A significant part of the world today is highly dependent on Information Technology.  Organisations use computer systems as the major tool of work production.  This results to a need to protect the IT assets of an organisation to avoid sensitive data leakages but also to ensure uninterrupted workflow that can hinder business processes.  The complexity of Information Security and its fast-changing nature, with new threats appearing every day, makes it difficult to understand by non-technically competent employees.  User education has been used to shape user behaviour to comply with security policies, which are usually developed based on identified threats and vulnerabilities in organisations.  Until now education schemes were based on empirical data, experience of past security breaches and examples of bad practices that should be avoided, usually presenting users with large checklists exhaustively reporting all security threats.  The problem with this is that no attempt is made to understand how users perceive security, what misconceptions they form and address those through better Security awareness, education and training campaigns.

This project will aim to devise a systematic approach to security awareness, education and training that will:

  1. Improve on the communication to employees of the risks related to their IT related everyday operations and their awareness on potential security breaches.
  2. Allow creation of education and training schemes that are grounded on the identified risks and prioritise those which address the threats that present the higher risk to an organisation.
  3. Ensure the imposed measures do not hinder the effectiveness of business processes and impose a minimal burden on the employees’ everyday tasks.


The creation of a systematic approach to aid security awareness, education and training based on risk communication will allow organisations to communicate more effectively the IT-related risks, implement effective education and training, and thus influence employee behaviour.  This can provide many advantages for the organisations that will follow similar approaches, but also for their employees:

  • Will allow helping users form a clear understanding of the threats they face, so that they can correctly perceive the benefits of compliance with security practices, by altering the perceived cost/benefit balance.
  • Easy to use measures will be better embraced and adopted by employees and decrease employee frustration.
  • It can improve on the effectiveness of security campaigns developed and prevent organisations from spending resources to develop ineffective campaigns scientific principles on their design.
  • A systematic approach to the development of security measures can be reused and reapplied to new situations in an organisation and allow a wider range of organisations to easily adopt it to solve their specific security problems.