A method for implementing an information security awareness campaign within an organisation

Master Thesis


Permanent link to this Item
Journal Title
Link to Journal
Journal ISSN
Volume Title
Research has shown that educating end-users on information security awareness plays an essential part in securing any environment. While best practice standards provide a set of minimum information security awareness controls that should be implemented, little guidance exists on how to implement these controls to ensure the effectiveness of the training. This research set out to define and evaluate a method for implementing an Information Security Awareness Campaign within an organisation based on existing research and standards while assisting the organisation in improving their information security awareness campaign through the creation of artifacts and measurement techniques. A design science research approach guided the research to evaluate changes in the information security awareness campaign implementation method through several research cycles. The method was implemented within an organisation and evaluated based on the impact, effectiveness and results of each step as well as the feedback from participants. The research found both positive and negative results throughout the method. Specific steps within the method proved to be lengthy, time-consuming and confusing to participants. Although many improvements can yet be made, the method was suitable as it achieved the required objective within the organisation. The research outcome provided a risk-based method with a visual representation that demonstrated the lack of awareness of specific information security awareness topics to the organisation. The results of the study not only provided value to the organisation but provided a tried and tested method for implementing an Information Security Awareness Campaign within other organisations.