Abstract

This study proposes and examines a multidimensional definition of information security awareness. We also investigate its antecedents and analyze its effects on compliance with organizational information security policies. The above research goals are tested through the theoretical lens of technology threat avoidance theory and protection motivation theory. Information security awareness is defined as a second-order construct composed of the elements of threat and coping appraisals supplemented by the responsibilities construct to account for organizational environment. The study was executed in two stages. First, the participants (employees of a municipality) were exposed to a series of phishing messages. Second, the same individuals were asked to participate in a survey designed to examine their security awareness. The research model was tested using PLS-SEM approach. The results indicate that security awareness is in fact a second-order formative construct composed of six components. There are significant differences in security awareness levels between the victims of the phishing experiment and the employees who maintain compliance with security policies. Our study extends the theory by proposing and validating a general, yet practical definition of security awareness. It also bridges the gap between theory and practice - our contextualization of security awareness draws heavily on both fields.