Employee noncompliance with information systems security policies is
a key concern for organizations. If users do not comply with IS
security policies, security solutions lose their efficacy. Of the
different IS security policy compliance approaches, training is the
most commonly suggested in the literature. Yet, few of the existing
studies about training to promote IS policy compliance utilize
theory to explain what learning principles affect user compliance
with IS security policies, or offer empirical evidence of their
practical effectiveness. Consequently, there is a need for IS
security training approaches that are theory-based and empirically
evaluated. Accordingly, we propose a training program based on two
theories: the universal constructive instructional theory and the
elaboration likelihood model. We then validate the training program
for IS security policy compliance training through an action
research project. The action research intervention suggests that the
theory-based training achieved positive results and was practical to
deploy. Moreover, the intervention suggests that information
security training should utilize contents and methods that activate
and motivate the learners to systematic cognitive processing of
information they receive during the training. In addition, the
action research study made clear that a continuous communication
process was also required to improve user IS security policy
compliance. The findings of this study offer new insights for
scholars and practitioners involved in IS security policy compliance
Keywords: IS security, IS security training, employees'
compliance with security policies