Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, " A design theory for information security awareness " by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions. The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information ...