Identification and access management: An action research approach to develop a training strategy for higher education

Identification and access management has been among the top security issues facing institutions of higher education. Most institutions of higher education require end users to provide usernames and passwords to gain access to personally identifiable information (PII). This leaves universities vulnerable to unauthorized access and unauthorized disclosure of PII as, according to recent literature, usernames and passwords alone are insufficient for proper authentication of users into information and information systems.This study examines a critical element in the successful implementation of any information security initiative, end user training. Specifically, this study advances research in the area of end user security training by developing an IT security training framework that can guide institutions of higher education in the implementation of USB security tokens for two-factor authentication using public key infrastructure.The research provided training to thirty faculty and staff members at California State University, San Bernardino. An evaluation of the training was administered by way of interviews and observation to determine if the users adopted and are using the USB security token. The interviews, observation tactics, and help desk questionnaires allowed the researcher to evaluate the effectiveness of the training methods used in each training session and adjust, if necessary, the methods used in future training sessions. The Susman and Evered (1978) action research approach was the methodology used to continuously refine the training until it was considered successful and trainees adopted and used the technology.The research includes the use of two primary frameworks including the IT Security Training Matrix (NIST sp 800-16) to guide the development of the training materials and the Training Strategy Framework (Olfman, Bostrom, & Sein, 2006) to develop more effective training strategies. This study adapts the Training Strategy Framework (Olfman et al. 2006) to create a new IT security training strategy framework that can be used by institutions of higher education to address knowledge levels relating to the use of an IT security tool. The findings suggest that the training methods and approach are perceived to be useful, and most users are using the USB eToken.