Kurowski, SebastianCetin, FatmaFischer, RudolfRoßnagel, HeikoSchunck, Christian H.Mödersheim, Sebastian2021-05-202021-05-202021978-3-88579-706-7https://dl.gi.de/handle/20.500.12116/36493Most organizations rely on individuals without or with little security knowledge to participate in information security tasks. Intending to enable them, information security trainings are usually used. But their effectiveness is debatable. In this contribution we combine descriptive analysis with the social systems theory and current literature on organizational learning and change management to conceptualize the challenges of information security training. We find that the challenges of security training are rooted within a basic dilemma of security: its value-promise (addressing of risks) is not suitable for communication within an organization. These findings are part of an ongoing research project on trainings for IoT security.enSecurity trainingawarenesspolicy compliancesystem theorychange managementorganizational learningText/Conference Paper1617-5468