{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:01:13Z","timestamp":1754157673335,"version":"3.41.2"},"reference-count":24,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2011,7,19]],"date-time":"2011-07-19T00:00:00Z","timestamp":1311033600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011,7,19]]},"abstract":"Purpose<\/jats:title>The purpose of this paper is to measure and discuss the long\u2010term effects of an e\u2010learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The intervention study had two assessments of knowledge and attitudes among employees: one survey, one week before the intervention, and one survey eight months after the intervention. The population was divided into an intervention group and a control group, where the only separated the groups was participation in the intervention (i.e. the e\u2010learning tool).<\/jats:p><\/jats:sec>Findings<\/jats:title>The study documents that the effects of the intervention on security awareness and behavior partly remains more than half a year after the intervention, but that the detailed knowledge on information security issues diminished during the period. The study also discusses how such courseware can contribute to long\u2010term organizational learning compared with human interventions such as action research. Both human resource management and internal promotion are necessary input in the process to successfully educate and train employees in information security.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>One weakness of concern is the low response rate of 37 in the final analysis.<\/jats:p><\/jats:sec>Practical implications<\/jats:title>The study can document that short\u2010time effects of software supported information security awareness on employees' knowledge, behaviour, and awareness diminish over time. It is thus important to maintain and continually perform information security awareness. More interventions studies, following the same principles as presented in this paper, of other user\u2010directed measures is needed, to test and document the effects of different measures.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>The paper is innovative in the area of information security research as it shows how an information security intervention can be measured.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685221111153537","type":"journal-article","created":{"date-parts":[[2011,7,25]],"date-time":"2011-07-25T10:52:37Z","timestamp":1311591157000},"page":"140-154","source":"Crossref","is-referenced-by-count":15,"title":["The long\u2010term effects of information security e\u2010learning on organizational learning"],"prefix":"10.1108","volume":"19","author":[{"given":"Janne","family":"Hagen","sequence":"first","affiliation":[]},{"given":"Eirik","family":"Albrechtsen","sequence":"additional","affiliation":[]},{"given":"Stig","family":"Ole Johnsen","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"unstructured":"Albrechtsen, E. (2008), \u201cFriend or foe? Information security management of employees\u201d, PhD dissertation, Theses No. 2008: 101, Norwegian University of Science and Technology (NTNU), Trondheim.","key":"key2022012120251754400_b1"},{"unstructured":"Argyris, C. and Sch\u00f6n, D. (1978), Organizational Learning: A Theory of Action Perspective, Addison\u2010Wesley, Reading, MA.","key":"key2022012120251754400_b2"},{"doi-asserted-by":"crossref","unstructured":"Brown, J.S. and Duguid, P. (1991), \u201cOrganizational learning and communities\u2010of\u2010practise: toward a unified view of working, learning and innovation\u201d, Organizational Science, Vol. 2 No. 1, pp. 40\u201057.","key":"key2022012120251754400_b3","DOI":"10.1287\/orsc.2.1.40"},{"doi-asserted-by":"crossref","unstructured":"Cone, B.D., Irvine, C.E., Thompson, M.F. and Nguyen, T.D. (2007), \u201cA video game for cyber security training and awareness\u201d, Computers and Security, Vol. 26, pp. 63\u201072.","key":"key2022012120251754400_b4","DOI":"10.1016\/j.cose.2006.10.005"},{"doi-asserted-by":"crossref","unstructured":"Denis, G. and Jouvelot, P. (2005), \u201cMotivation\u2010driven educational game design: applying best practices to music education\u201d, in Lee, N. (Ed.), Proceedings of the International Conference on Advances in Computer Entertainment Technology, ACM Press, New York, NY.","key":"key2022012120251754400_b5","DOI":"10.1145\/1178477.1178581"},{"doi-asserted-by":"crossref","unstructured":"Dings\u00f8yr, T. and Moe, N.B. (2008), \u201cThe impact of employee participation on the use of an electronic process guide: a longitudinal case study\u201d, IEEE Transactions on Software Engineering, Vol. 34 No. 2, pp. 212\u201026.","key":"key2022012120251754400_b6","DOI":"10.1109\/TSE.2007.70767"},{"unstructured":"ENISA (2007), Information Security Awareness Initiatives: Current Practice and the Measurement of Success, European Network and Information Security Agency (ENISA), Crete.","key":"key2022012120251754400_b7"},{"doi-asserted-by":"crossref","unstructured":"Garris, R., Ahlers, R. and Driskell, J. (2002), \u201cGames, motivation and learning: a research and practice model\u201d, Simulation and Gaming, Vol. 33 No. 4, pp. 441\u20107.","key":"key2022012120251754400_b8","DOI":"10.1177\/1046878102238607"},{"unstructured":"Goldenhar, L.M. and Schulte, P.A. (1994), \u201cIntervention research in occupational health and safety\u201d, Journal of Occupational Medicine, Vol. 36 No. 7, pp. 763\u201075.","key":"key2022012120251754400_b9"},{"unstructured":"Hagen, J. (2009a), \u201cHow do employees comply with security policy? A comparative case study of four organizations under the Norwegian Security Act\u201d, The Human Factor Behind the Security Perimenter, Evaluating the Effectiveness of Organizational Information Security Measures and Employees' Contributions to Security, Doctoral dissertation, Faculty of Mathematics and Natural Science, University of Oslo, Oslo.","key":"key2022012120251754400_b12"},{"doi-asserted-by":"crossref","unstructured":"Hagen, J. (2009b), \u201cHuman relationships: a never\u2010ending security education challenge?\u201d, IEEE Security and Privacy, pp. 72\u20104.","key":"key2022012120251754400_b13","DOI":"10.1109\/MSP.2009.92"},{"doi-asserted-by":"crossref","unstructured":"Hagen, J. and Albrechtsen, E. (2009), \u201cEffects on employees' information security abilities by e\u2010learning\u201d, Information Management & Computer Security, Vol. 17 No. 5, pp. 388\u2010407.","key":"key2022012120251754400_b11","DOI":"10.1108\/09685220911006687"},{"unstructured":"Hagen, J., Irvine, C. and Thompson, A. (2009), \u201cA preliminary study of barriers to engagement in cybersiege\u201d, Technical Report, NPS\u2010CS\u201009\u2010006, Naval Postgraduate School, Monterey, CA.","key":"key2022012120251754400_b10"},{"doi-asserted-by":"crossref","unstructured":"Kristensen, T.S. (2005), \u201cIntervention studies in occupational epidemiology\u201d, Occupational and Environmental Medicine, Vol. 62 No. 3, pp. 205\u201010.","key":"key2022012120251754400_b14","DOI":"10.1136\/oem.2004.016097"},{"doi-asserted-by":"crossref","unstructured":"Nonaka, I. and Takeuchi, H. (1995), The Knowledge Creating Company, Oxford University Press, New York, NY.","key":"key2022012120251754400_b15","DOI":"10.1093\/oso\/9780195092691.001.0001"},{"doi-asserted-by":"crossref","unstructured":"Rentroia, M.A., Jorge, J. and Ghauoui, C. (2006), \u201cMotivation to e\u2010learn without organizational settings: an exploratory factor structure\u201d, International Journal Distance Education Technologies, Vol. 4 No. 3, pp. 24\u201035.","key":"key2022012120251754400_b17","DOI":"10.4018\/jdet.2006070103"},{"unstructured":"Ringdal, K. (2001), Enhet og mangfold: samfunnsvitenskapelig forskning og kvantitativ metode (in Norwegian) (Unity and Diversity: Social Science and Quantitative Methods), Fagbokforlaget, Bergen.","key":"key2022012120251754400_b16"},{"unstructured":"Robson, L.S., Shannon, H.S., Goldenhar, L.M. and Hale, A.R. (2001), Guide to Evaluating the Effectiveness of Strategies for Preventing Work Injuries: How to Show Whether a Safety Intervention Really Works, NIOSH, Cincinnati, OH (NIOSH Publication No. 2001\u2010119).","key":"key2022012120251754400_b18"},{"unstructured":"Schneier, B. (2004), Secrets and Lies: Digital Security in a Networked World, Wiley, Indianapolis, IN.","key":"key2022012120251754400_b19"},{"doi-asserted-by":"crossref","unstructured":"Schultz, E. (2005), \u201cThe human factor in security\u201d, Computers and Security, Vol. 24 No. 6, pp. 425\u20106.","key":"key2022012120251754400_b20","DOI":"10.1016\/j.cose.2005.07.002"},{"doi-asserted-by":"crossref","unstructured":"Wang, A.J.A. and Yestko, K. (2005), \u201cBuilding reusable information security courseware\u201d, paper presented at the Information Security Curriculum Development Conference, Kennesaw, GA, 23\u201024 September.","key":"key2022012120251754400_b21","DOI":"10.1145\/1107622.1107642"},{"doi-asserted-by":"crossref","unstructured":"Ward, P. and Smith, C.L. (2002), \u201cThe development of access control policies for information technology systems\u201d, Computers and Security, Vol. 21 No. 4, pp. 365\u201071.","key":"key2022012120251754400_b22","DOI":"10.1016\/S0167-4048(02)00414-5"},{"doi-asserted-by":"crossref","unstructured":"Weick, K.E. (1991), \u201cThe non\u2010traditional quality of organizational learning\u201d, Organizational Science, Vol. 2 No. 1, pp. 116\u201024.","key":"key2022012120251754400_b23","DOI":"10.1287\/orsc.2.1.116"},{"doi-asserted-by":"crossref","unstructured":"Yuiki, G. (2009), \u201cLeadership and organizational learning\u201d, The Leadership Quarterly, Vol. 20 No. 1, pp. 49\u201053.","key":"key2022012120251754400_b24","DOI":"10.1016\/j.leaqua.2008.11.006"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685221111153537","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221111153537\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221111153537\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:21Z","timestamp":1753402161000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/19\/3\/140-154\/185305"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,7,19]]},"references-count":24,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2011,7,19]]}},"alternative-id":["10.1108\/09685221111153537"],"URL":"https:\/\/doi.org\/10.1108\/09685221111153537","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2011,7,19]]}}}