A field experiment on ISP training designs for enhancing employee information security compliance

Information security policy (ISP) training plays an important role in enhancing organisational resilience against cyber threats by providing employees with the necessary knowledge and skills to effectively identify, prevent, and respond to security breaches. This research aims to explore how the use of deterrence arguments and threat arguments can enhance the effectiveness of ISP training. We theorise how ISP training affects employees' ISP compliance behaviour by arguing for a transfer of training lens to study the effectiveness of ISP training. The results of our field experiment with triangulated data suggest that the effect of argumentative-enhanced ISP training is twofold. First, employees who participated in enhanced training sessions with deterrence and threat arguments demonstrated superior training outputs after the training, which, in turn, translated into a sustained training outcome three weeks after the training. Second, we also find evidence that threat arguments can reinforce the application of training outputs in the maintenance stage of learned behaviours. With this applied research study, we contribute to the research and practice by providing empirical evidence of the effectiveness of ISP training designs.