Organisations and security professionals design Security Education, Training, and Awareness (SETA) programs to improve cybersecurity behaviour, but they are often poorly received by employees. To understand employee negative perceptions of SETA programs, we conducted in-depth interviews with 20 Australian employees regarding their experiences with both SETA programs and non-cybersecurity related workplace training. As expected, employees had a generally poor view of SETA programs. They reported that the same factors that are important for effective non-cybersecurity training are also important for SETA programs, such as management role modelling and well-designed workplace systems. However, the level of importance of these factors differed across the two contexts. For example, employees indicated that the misbehaviour of their colleagues is a more important factor for their appraisal of a SETA program than it is for a non-cybersecurity workplace training program. Our results suggest that employee perceptions of SETA programs relate to their previously held beliefs about cybersecurity threats, the content and delivery of the training program, the behaviour of others around them, and features of their organisation. From an applied perspective, these findings can explain why employees often do not engage with cybersecurity training material, and how their current beliefs can influence their receptivity for future training.

组织和安全专业人员设计了安全教育，培训和意识（SETA）计划来改善网络安全行为，但员工通常对此不太满意。为了了解员工对SETA计划的负面看法，我们对20名澳大利亚员工进行了深度访谈，以了解他们在SETA计划和与网络安全无关的工作场所培训方面的经验。不出所料，员工对SETA计划的看法普遍较差。他们报告说，对于有效的非网络安全培训同样重要的因素对于SETA计划也很重要，例如管理角色建模和精心设计的工作场所系统。但是，在两种情况下，这些因素的重要性水平有所不同。例如，员工表示，同事的不当行为是他们评估SETA计划的重要因素，而不是非网络安全工作场所培训计划。我们的结果表明，员工对SETA计划的看法与他们先前对网络安全威胁，培训计划的内容和交付，周围其他人员的行为以及组织特征的信念有关。从应用的角度来看，这些发现可以解释为什么员工经常不参加网络安全培训材料，以及他们当前的信念如何影响他们对未来培训的接受度。我们的结果表明，员工对SETA计划的看法与他们先前对网络安全威胁，培训计划的内容和交付，周围其他人员的行为以及组织特征的信念有关。从应用的角度来看，这些发现可以解释为什么员工经常不参加网络安全培训材料，以及他们当前的信念如何影响他们对未来培训的接受度。我们的结果表明，员工对SETA计划的看法与他们先前对网络安全威胁，培训计划的内容和交付，周围其他人员的行为以及组织特征的信念有关。从应用的角度来看，这些发现可以解释为什么员工经常不参加网络安全培训材料，以及他们当前的信念如何影响他们对未来培训的接受度。