Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


Teaching & Learning


The purpose of this study is twofold. The first purpose of this study is to investigate the status of security awareness training, IT-related policies, and the use of social engineering testing in business organizations. A second purpose of this study is to investigate the extent to which colleges and universities are offering security awareness topics as part of a student's coursework or daily activities, specifically in colleges of business, to help determine the level of students' security awareness exposure and preparedness for the work world.

The colleges of business study examined demographics, what topics were being covered, how often, to whom offered, and in what departmental areas the topics were being offered. Data was collected from 85 subjects across multiple departments from 35 states. The organizational study used partial matrix sampling to examine demographics, details and specific practices of security awareness training, policies, user compliance, auditing and testing, and user perceptions. Participants consisted of 144 professionals involved with management of information or records from all sizes and types of organizations. Descriptive statistics and MANOVAs were calculated on both data sets.

Results from the college of business study found that a substantial percentage of colleges of business may not offer security awareness training, but most faculty respondents recognized information security as an important concern and felt that students and faculty should receive more security awareness training. Although the study found a significant percentage of participants that reported no integration of security awareness topics in the curriculum, almost one-third of total respondents would like to increase coverage of security awareness topics within their courses.

Results from the organizational study found that most organizations conduct security awareness training, but do not necessarily customize the format for different types of groups within the organization. Most respondents acknowledged information security as important, and felt motivated to follow security guidelines. The study revealed a need for increased use of social engineering policies, training, and testing along with a need to conduct periodic assessments of security awareness programs and components.

Included in

Psychology Commons