The enforcement of end-user security compliance using Chatbot

Abstract

Information security is a multifaceted approach that combines technical and non-technical controls to ensure that organisations are protected against cyber-attacks. Technical security controls apply technological solutions such as firewalls, encryption, antivirus, antimalware, intrusion detection system and intrusion prevention systems. Non-technical security controls deal with security policies, procedures, and standards. Users need to be educated about these non-technical security controls for compliance and adherence. Extant literature has noted poor security conduct and low compliance levels among users. This behaviour leads to what is known in the security realm as an insider threat. Cyber-attacks constantly evolve to keep up with the latest technology. However, low-tech attacks are still popular because manipulating the insider threat’s vulnerability (human factor) does not require sophisticated techniques. Training and awareness are key to the success of information security policy. However, it has become apparent that ongoing user compliance is not easy to achieve because users have difficulties applying the contents of information security policy consistently. This difficulty, accompanied by a lack of regular security training, is seen as the primary cause of users’ inconsistent security behaviour. The research hypothesis of this study is that users who receive a constant reminder about the contents of the information security policy have a higher information security compliance behaviour than users without any form of reminder. This quantitative research study used a chatbot to test the hypothesis. The data was collected from two government entities in Cape Town. A random sampling technique was used to acquire a sample of forty-two participants. Experiments followed a two-group experimental design approach: the experimental group and the control group. The experimental group was exposed to the treatment; in this research, a chatbot was used as an intervention. Three hypotheses were tested in this research study. The results of the first hypothesis showed a significant difference in the behaviour of the users who received training and exposure to a chatbot. The results of the second hypothesis were not statistically significant. The results of the third hypothesis proved that the compliance behaviour of users could be improved if users were to receive constant reminders about the contents of the information security policy. Implications, future research and recommendations included recommendations for a longitudinal study and extending the research to other provinces. In addition, the study recommended further analysis of information security training delivery methods.