Abstract

This research argues that to increase information security awareness effectiveness in preventing data incidents, a learning mindset must be in place at the individual and organizational levels. The motivation for this research stems from the continued number of data breaches that are increasing in size and scope at an alarming rate, negatively impacting those affected individuals and organizations. There exists a gap in the literature regarding the ability of information security awareness programs to be effective and whether organizational learning can help improve these programs. This research examined two U.S. based organizations through a mixed method, deductive cross-case study to determine how information security awareness training is implemented and if data incidents contribute to organizational learning. Actual practice was contrasted to a hypothesized information security awareness learning model developed from the theories of double loop learning, organizational knowledge creation, and intelligent failure to determine if organizational learning contributes to the ongoing development of information security awareness training programs. This study identified six learning model gaps that led to the conclusion that organizational learning is not being adopted in practice to increase the effectiveness of information security awareness training programs. The findings have direct implications to current practice regarding how to increase the effectiveness of information security awareness training programs. The findings also have implications for future research regarding the impact of organizational learning on information security.