AIM Triad: A Prioritization Strategy for Public Institutions to Improve Information Security Maturity

In today’s world, private and government organizations are legally obligated to prioritize their information security. They need to provide proof that they are continually improving their cybersecurity compliance. One approach that can help organizations achieve this goal is implementing information security maturity models. These models provide a structured framework for measuring performance and implementing best practices. However, choosing a suitable model can be challenging, requiring cultural, process, and work practice changes. Implementing multiple models can be overwhelming, if possible. This article proposes a prioritization strategy for public institutions that want to improve their information security maturity. We thoroughly analyzed various sources through systematic mapping to identify critical similarities in information security maturity models. Our research led us to create the AIM (Awareness, Infrastructure, and Management) Triad. This triad is a practical guide for organizations to achieve maturity in information security practices.This work received partial support from Proyecto DIUFRO DI21-0079 and Proyecto DIUFRO DI22-0043, Universidad de La Frontera, Temuco. Chile

Customer’s Cybersecurity Awareness in Indonesian Online Clothing Micro, Small and Medium Enterprises

In the current technological era, almost every business operation and transaction are conducted through cyberspace, including micro, small and medium enterprises (MSME). However, MSMEs pose the greatest vulnerability to cyber-attacks due to their limitation in both awareness and resources. Multiple research found that people significantly affect cybersecurity more than the technical aspect. Thus, making cybersecurity awareness vital for every business, especially MSMEs. Currently, most cybersecurity awareness research is focused on the perspective of MSMEs and their owners. Limited cybersecurity awareness research assesses MSMEs in Indonesia, especially in the online clothing sector. This research will contribute to assessing cybersecurity awareness from MSME customers’ perspective and aims to recommend Indonesian online clothing MSME environment to raise cybersecurity awareness. The researcher used a survey and a semi-structured interview to assess the overall cybersecurity awareness of Indonesian online clothing MSME customers. The semi-structured interview also explored respondents’ opinions on raising cybersecurity awareness in the Indonesian online clothing MSME. The result shows a variety of levels of cybersecurity awareness among respondents. Correlation tests were conducted and found several aspects that were affecting respondents’ cybersecurity awareness. The interview results also support the findings in the survey whilst also contributing to providing recommendations to raise cybersecurity awareness.Keywords: Customers, Cybersecurity, Cybersecurity Awareness, Cyber-attack, MSM

Think twice before you click! : exploring the role of human factors in cybersecurity and privacy within healthcare organizations

The urgent need to protect sensitive patient data and preserve the integrity of healthcare services has propelled the exploration of cybersecurity and privacy within healthcare organizations [1]. Recognizing that advanced technology and robust security measures alone are insufficient [2], our research focuses on the often-overlooked human element that significantly influences the efficacy of these safeguards. Our motivation stems from the realization that individual behaviors, decision-making processes, and organizational culture can be both the weakest link and the most potent tool in achieving a secure environment. Understanding these human dimensions is paramount as even the most sophisticated protocols can be undone by a single lapse in judgment. This research explores the impact of human behavior on cybersecurity and privacy within healthcare organizations and presents a new methodological approach for measuring and raising awareness among healthcare employees. Understanding the human influence in cybersecurity and privacy is critical for mitigating risks and strengthening overall security posture. Moreover, the thesis aims to place emphasis on the human aspects focusing more on the often-overlooked factors that can shape the effectiveness of cybersecurity and privacy measures within healthcare organizations. We have highlighted factors such as employee awareness, knowledge, and behavior that play a pivotal role in preventing security incidents and data breaches [1]. By focusing on how social engineering attacks exploit human vulnerabilities, we underline the necessity to address these human influenced aspects. The existing literature highlights the crucial role that human factors and awareness training play in strengthening cyber resilience, especially within the healthcare sector [1]. Developing well-customized training programs, along with fostering a robust organizational culture, is vital for encouraging a secure and protected digital healthcare setting [3]. Building on the recognized significance of human influence in cybersecurity within healthcare organizations, a systematic literature review became indispensable. The existing body of research might not have fully captured all ways in which human factors, such as psychology, behavior, and organizational culture, intertwined with technological aspects. A systematic literature review served as a robust foundation to collate, analyze, and synthesize existing knowledge, and to identify gaps where further research was needed. In complement to our systematic literature review and investigation of human factors, our research introduced a new methodological approach through a concept study based on an exploratory survey [4]. Recognizing the need to uncover intricate human behavior and psychology in the context of cybersecurity, we designed this survey to probe the multifaceted dimensions of cybersecurity awareness. The exploratory nature of the survey allowed us to explore cognitive, emotional, and behavioral aspects, capturing information that is often overlooked in conventional analyses. By employing this tailored survey, we were able to collect insights that provided a more textured understanding of how individuals within healthcare organizations perceive and engage with cybersecurity measures

Gamification as a neuroergonomic approach to improving interpersonal situational awareness in cyber defense

In cyber threat situations, the establishment of a shared situational awareness as a basis for cyber defense decision-making results from adequate communication of a Recognized Cyber Picture (RCP). RCPs consist of actively selected information and have the goal of accurately presenting the severity and potential consequences of the situation. RCPs must be communicated between individuals, but also between organizations, and often from technical to non-/less technical personnel. The communication of RCPs is subject to many challenges that may affect the transfer of critical information between individuals. There are currently no common best practices for training communication for shared situational awareness among cyber defense personnel. The Orient, Locate, Bridge (OLB) model is a pedagogic tool to improve communication between individuals during a cyber threat situation. According to the model, an individual must apply meta-cognitive awareness (O), perspective taking (L), and communication skills (B) to successfully communicate the RCP. Gamification (applying game elements to non-game contexts) has shown promise as an approach to learning. We propose a novel OLB-based Gamification design to improve dyadic communication for shared situational awareness among (technical and non-technical) individuals during a cyber threat situation. The design includes the Gamification elements of narrative, scoring, feedback, and judgment of self. The proposed concept contributes to the educational development of cyber operators from both military and civilian organizations responsible for defending and securing digital infrastructure. This is achieved by combining the elements of a novel communication model with Gamification in a context in urgent need for educational input.publishedVersio

Preparing UK students for the workplace: The Acceptability of a Gamified Cybersecurity Training

This pilot study aims to assess the acceptability of Open University’s training platform called Gamified Intelligent Cyber Aptitude and Skills Training course (GICAST), as a means of improving cybersecurity knowledge, attitudes, and behaviours in undergraduate students using both quantitative and qualitative methods. A mixed-methods, pre-post experimental design was employed. 43 self-selected participants were recruited via an online register and posters at the university (excluding IT related courses). Participants completed the Human Aspects of Information Security Questionnaire (HAIS-Q) and Fear of Missing Out (FoMO) Scale. They then completed all games and quizzes in the GICAST course before repeating the HAIS-Q and FoMO scales as well as several open-ended questions. Pre-training HAIS-Q Knowledge, Attitude and Behaviour all improved from ‘reasonable’ pre-training levels to become ‘very high’ following training with large effect sizes estimated. FoMO improved to a lesser degree but also predicted the degree of HAIS-Q improvement suggesting it is relevant to the impact of this training course. Qualitatively, five key themes were generated: enjoyment, engagement, usability of GICAST, content relevance, and perceived educational efficacy. Overall, sentiment towards training was very positive as an enjoyable engaging and usable course. GICAST was found to be a feasible course for a wide range of students at a UK university: overall the training improved cyber-security awareness on a well validated measure with outcomes comparable to information-security-trained employees of a secure workplace. Despite a diversity of views about content, the course appears to be well suited to the non-IT undergraduate sector and may suit wide uptake to enhance students’ employability in a wide range of cybersecurity relevant contexts

SOK:young children’s cybersecurity knowledge, skills & practice: a systematic literature review

The rise in children’s use of digital technology highlights the need for them to learn to act securely online. Cybersecurity skills require mature cognitive abilities which children only acquire after they start using technology. As such, this paper explores the guidance and current curriculum expectations on cybersecurity aspects in Scotland. Additionally, a systematic review was undertaken of the literature pertaining to cybersecurity education for children on a wider scale including papers from around the world, with 27 peer reviewed papers included in the final review. We discovered that most research focused on assessing children’s knowledge or investigating the efficacy of interventions to improve cybersecurity knowledge and practice. Very few investigated the skills required to carry out the expected cybersecurity actions. For example, high levels of literacy, mature short- and long-term memory, attention, and established meta cognition are all pre-requisites to be able to carry out cybersecurity activities. Our main finding is that empirical research is required to explore the ages at which children have developed essential cognitive abilities and thereby the potential to master cybersecurity skills

Design of a Security Toolbox: A Framework To Mitigate The Risks of Cyberspace

Dissertation presented as the partial requirement for obtaining a Master's degree in Information Management, specialization in Information Systems and Technologies ManagementThis research aims to create a framework that helps SMEs mitigate the various risks of cyberspace. In this digital era, the dangers of cyberspace are increasing, which leads to the need for organizations to adopt adequate security measures capable of preventing cyberattacks. However, a large number of employees in SMEs do not know how to act to mitigate the risks already mentioned. Thus, the development of a security toolbox could be a solution to help SMEs be less exposed to the dangers of cyberspace. For this research, a theoretical overview associated with cybersecurity to understand the current state of security solutions and the different control options in the organizational environment was essential. Last but not least, a clear understanding of the SMEs needs, in the area of security, was also crucial in the development and construction of the proposed artifact. To evaluate and validate the security toolbox, focus group meetings will be scheduled. The implementation of a security toolbox that helps SMEs to identify, protect, respond and recover from potential cyberattacks, may be relevant and can provide great results for different organizational environments to mitigate the risks of cyberspace. The suggested framework would play an important role, to the users of the security Toolbox to get more know-how to protect the business environment. Also, may be seen as a vantage to the science since will help to develop the research related to improving the techniques and tools disposal to mitigate the high risks of cyberspace