CYBERSECURITY TRAINING AS RISK COMMUNICATION: A THEORY-INFORMED MODEL OF EMPLOYEE LEARNING AND BEHAVIOR CHANGE

Author

Daniel Chaney, University of KentuckyFollow

Author ORCID Identifier

https://orcid.org/0009-0005-3700-6961

Date Available

8-5-2025

Year of Publication

2025

Document Type

Doctoral Dissertation

Degree Name

Doctor of Philosophy (PhD)

College

Communication and Information

Department/School/Program

Communication

Faculty

Dr. Derek Lane

Abstract

Cybersecurity threats like phishing remain a persistent and costly challenge for organizations. Despite widespread corporate cybersecurity training (CCT) programs, many fail to produce lasting behavior change. This dissertation introduces the Training Knowledge Flow (TKF) Model to assess why such efforts often fall short. Grounded in communication theory, risk messaging, and adult learning principles, the TKF Model conceptualizes cybersecurity training as a staged process of learning, application, and behavioral adaptation. The model includes three phases: (1) Employee as Learner, focusing on message clarity and cognitive engagement; (2) Employee as Practitioner, assessing workplace transfer and training relevance; and (3) Employee as Security Actor, measuring long-term behavior and phishing resistance. A core insight is the misalignment between employees’ perceived readiness after training and their actual workplace behaviors. Many report confidence during training yet fail to act securely in real-world conditions. Environmental context such as workload, system constraints, and cultural norms all play pivotal roles in moderating the impact of knowledge and intent. By capturing these influences, the TKF Model provides a framework to design more effective, context-aware training programs. The findings help bridge the gap between classroom success and operational security, with implications for both academia and industry.

Digital Object Identifier (DOI)

https://doi.org/10.13023/etd.2025.345

Funding Information

Dr. Renee Kaufmann (Associate Dean of Graduate Programs), and Dr. Anthony Limperos (Chair of the Department of Communication) and their offices for providing internal financial support that made this research possible.

Recommended Citation

Chaney, Daniel, "CYBERSECURITY TRAINING AS RISK COMMUNICATION: A THEORY-INFORMED MODEL OF EMPLOYEE LEARNING AND BEHAVIOR CHANGE" (2025). Theses and Dissertations--Communication. 139.
https://uknowledge.uky.edu/comm_etds/139