Date of Conferral



Doctor of Information Technology (D.I.T.)


Information Systems and Technology


Bob Duhainy


Ineffective security education, training, and awareness (SETA) programs contribute to compromises of organizational information systems and data. Inappropriate actions from users due to ineffective SETA programs may result in legal consequences, fines, reputational damage, adverse impacts on national security, and criminal acts. Grounded in social cognitive theory, the purpose of this qualitative multiple case study was to explore strategies hospitality organizational information technology (IT) leaders utilized to implement SETA successfully. The participants were organizational IT leaders from four organizations in Hampton Roads, Virginia. Data collection was performed using telephone and video teleconference interviews with organizational IT leaders (n = 6) as well as secondary data analysis of documents related to SETA programs (n = 31). Thematic analysis was used to analyze and code the data, which resulted in three themes. Consistent, persistent, and relevant awareness and training was the first theme to emerge. Awareness and training based on threats, vulnerabilities, and risks was the second theme to emerge. Disclosing expectations and taking appropriate actions towards employees based on behavior was the third theme to emerge. A recommendation is that SETA should be performed regularly throughout the year while using employee rewards and punishments to promote desired behavior. The findings of this study may promote positive social change by providing information to IT leaders to develop SETA programs and reduce security risks within organizations across various industries. Improved SETA may contribute to improved cyber practices at home and better protect family members.