An Alternative to the One-Size-Fits-All Approach to ISA Training: A Design Science Approach to ISA Regarding the Adaption to Student Vulnerability Based on Knowledge and Behavior

Any connection to the university’s network is a conduit that has the potential of being exploited by an attacker, resulting in the possibility of substantial harm to the infrastructure, to the university, and to the student body of whom the university serves. While organizations rightfully “baton down the hatches” by building firewalls, creating proxies, and applying important updates, the most significant vulnerability, that of the student, continues to be an issue due to lack of knowledge, insufficient motivation, and inadequate or misguided training. Utilizing the Design Science Research (DSR) methodology, this research effort seeks to address the latter concern of training by seeking to design a methodology that will sufficiently support the automatic adaptation of security training, which will be based on the assessment of student vulnerability determined by the student’s overall Information Security Awareness (ISA) knowledge and computer security behavior

A systematic review of approaches to assessing cyber security awareness

Purpose – The purpose of this paper is to survey, explore and inform researchers about the previous methodologies applied, target audience and coverage of previous assessment of cybersecurity awareness by capturing, summarizing, synthesizing and critically comment on it. It is also conducted to identify the gaps in the cybersecurity awareness assessment research which warrants the future work. Design/methodology/approach – The authors used a systematic literature review technique to search the relevant online databases by using pre-defined keywords. The authors limited the search to retrieve only English language academic articles published from 2005 to 2014. Relevant information was extracted from the retrieved articles, and the ensuing discussion centres on providing the answers to the research questions. Findings – From the online searches, 23 studies that matched the search criteria were retrieved, and the information extracted from each study includes the authors, publication year, assessment method used, target audiences, coverage of assessment and assessment goals. Originality/value – The review of the retrieved articles indicates that no previous research was conducted in the assessment of the cybersecurity awareness using a programme evaluation technique. It was also found that few studies focused on youngsters and on the issue of safeguarding personal information

The Effectiveness of Cybersecurity Compliance in a Corporate Organization in Nigeria

The complexity and growth also create asymmetries between attackers and their targets, and incentives that drive underinvestment in cybersecurity The Digital technologies have transformed how people socialize, shop, interact with government and do business. The World Wide Web is of made amounts of information instantly available. The smartphones have put our fingertips everywhere we go it an improvement on effectiveness cybersecurity training for end users of systems and offers suggestions about and how topManagement leaders can improve on trainingto effectively combat cybersecurity threats at the organizations. Is imperative to achieve higher end-user cybersecurity compliance; practice is accepted, as a means to increase compliance behavior in any organization. The Training can influence compliance by one or more of three causal pathways: by increasing cybersecurity awareness, by increasing cybersecurity proficiency (i.e., improve cybersecurity skills) and by raising cybersecurity self-efficacy. This includes an extensive review of the cybersecurity policies and competencies that are the basis for training needs analysis, setting learning goals, and practical training. This paper discusses opportunities for human resource (HR) practitioners and industrial and organizational (I-O) psychologists, and informationtechnology (IT) specialists, and to integrate their skills and enhance the capabilities of organizations to counteract cybersecurity threats. AnyOrganizations cannot achieve their cybersecurity goalson workers alone, so all employees who use computer networks must be trained on the skill and policies related to cybersecurity

A Case Study in the Implementation of a Human-Centric Higher Education Cybersecurity Program

This article contains a description of the implementation of a comprehensive cyber security program at a regional comprehensive university. The program was designed to create an effective cyber security management infrastructure and to train end users and other categories of security management personnel in data protection and cyber security. This work addresses the impetus for the program, the rather extensive planning and development that went into the program, its implementation, and insights gleaned from the experience. The paper concludes with a summary of the strengths and weaknesses of the initiative

Assessing Cybersecurity service quality in corporate environments

This study assess the quality of Cybersecurity as a service provided by IT department in corporate network and provides analysis about the service quality impact on the user, seen as a consumer of the service, and on the organization as well. In order to evaluate the quality of this service, multi-item instrument “SERVQUAL” was used for measuring consumer perceptions of service quality. To provide insights about Cybersecurity service quality impact, DeLone and McLean information systems success model was used. To test this approach, data was collected from over one hundred users from different industries and partial least square (PLS) was used to estimate the research model. This study found that SERVQUAL is adequate to assess Cybersecurity service quality and also found that Cybersecurity service quality positively influences the Cybersecurity use and individual impact in Cybersecurity

Survey Results on Adults and Cybersecurity Education

Cyberattacks and identity theft are common problems nowadays where researchers often say that humans are the weakest link in the security chain. Therefore, this survey focused on analyzing the interest for adults for ‘cyber threat education seminars’, e.g., how to project themselves and their loved ones. Specifically, we asked questions to understand a possible audience, willingness for paying / time commitment, or fields of interest as well as background and previous training experience. The survey was conducted in late 2016 and taken by 233 participants. The results show that many are worried about cyber threats and about their children exploring the online domain. However, seminars do not seem to be a priority as many individuals were only willing to spend 1-1.5h on seminars

Preparing UK students for the workplace: The Acceptability of a Gamified Cybersecurity Training

This pilot study aims to assess the acceptability of Open University’s training platform called Gamified Intelligent Cyber Aptitude and Skills Training course (GICAST), as a means of improving cybersecurity knowledge, attitudes, and behaviours in undergraduate students using both quantitative and qualitative methods. A mixed-methods, pre-post experimental design was employed. 43 self-selected participants were recruited via an online register and posters at the university (excluding IT related courses). Participants completed the Human Aspects of Information Security Questionnaire (HAIS-Q) and Fear of Missing Out (FoMO) Scale. They then completed all games and quizzes in the GICAST course before repeating the HAIS-Q and FoMO scales as well as several open-ended questions. Pre-training HAIS-Q Knowledge, Attitude and Behaviour all improved from ‘reasonable’ pre-training levels to become ‘very high’ following training with large effect sizes estimated. FoMO improved to a lesser degree but also predicted the degree of HAIS-Q improvement suggesting it is relevant to the impact of this training course. Qualitatively, five key themes were generated: enjoyment, engagement, usability of GICAST, content relevance, and perceived educational efficacy. Overall, sentiment towards training was very positive as an enjoyable engaging and usable course. GICAST was found to be a feasible course for a wide range of students at a UK university: overall the training improved cyber-security awareness on a well validated measure with outcomes comparable to information-security-trained employees of a secure workplace. Despite a diversity of views about content, the course appears to be well suited to the non-IT undergraduate sector and may suit wide uptake to enhance students’ employability in a wide range of cybersecurity relevant contexts

Factors that influence HIPAA Secure compliance in small and medium-size health care facilities

This study extends the body of literature concerning security compliance by investigating the antecedents of HIPPA security compliance. A conceptual model, specifying a set of hypothesized relationships between management support, security awareness, security culture; security behavior, and risk of sanctions to address their effect on HIPAA security compliance is presented. This model was developed based on the review of the literature, Protection Motivation Theory, and General Deterrence Theory. Specifically, the aim of the study is to examine the mediating role of risk of sanctions on HIPAA security compliance

Comparing Training Methodologies on Employee’s Cybersecurity Countermeasures Awareness and Skills in Traditional vs. Socio-Technical Programs

Organizations, which have established an effective technical layer of security, continue to experience difficulties triggered by cyber threats. Ultimately, the cybersecurity posture of an organization depends on appropriate actions taken by employees whose naive cybersecurity practices have been found to represent 72% to 95% of cybersecurity threats and vulnerabilities to organizations. However, employees cannot be held responsible for cybersecurity practices if they are not provided the education and training to acquire skills, which allow for identification of security threats along with the proper course of action to mitigate such threats. In addition, awareness of the importance of cybersecurity, the responsibility of protecting organizational data, as well as of emerging cybersecurity threats is quickly becoming essential as the threat landscape increases in sophistication at an alarming rate. Security education, training, and awareness (SETA) programs can be used to empower employees, who are often cited as the weakest link in information systems (IS) security due to limited knowledge and lacking skillsets. Quality SETA programs not only focus on raising employee awareness of responsibilities in relation to their organizations’ information assets but also train on the consequences of abuse while providing the necessary skills to help fulfill these requirements. The main goal of this research study was to empirically assess if there are any significant differences on employees’ cybersecurity countermeasures awareness (CCA) and cybersecurity skills (CyS) based on the use of two SETA program types (typical & socio-technical) and two SETA delivery methods (face-to-face & online). This study included a mixed method approach combining an expert panel, developmental research, and quantitative data collection. A panel of subject matter experts (SMEs) reviewed the proposed SETA program topics and measurement criteria for CCA per the Delphi methodology. The SMEs’ responses were incorporated into the development of two SETA program types with integrated vignette-based assessment of CCA and CyS, which were delivered via two methods. Vignette-based assessment provided a nonintrusive way of measurement in a pre- and post-assessment format. Once the programs had been reviewed by the SMEs to ensure validity and reliability, per the Delphi methodology, randomly assigned participants were asked to complete the pre-assessment, the SETA program, and then the post-assessment providing for the qualitative phase of the study. Data collected was analyzed using analysis of variance (ANOVA) and analysis of covariance (ANCOVA) to address the proposed research hypothesis. Recommendations for SETA program type and delivery method as a result of data analysis are provided

Exploring the Cybersecurity Hiring Gap

Cybersecurity is one of the fastest growing segments of information technology. The Commonwealth of Virginia has 30,000 cyber-related jobs open because of the lack of skilled candidates. The study is necessary because some business managers lack strategies for hiring cybersecurity professionals for U.S. Department of Defense (DoD) contracts. The purpose of this case study was to explore strategies business managers in DoD contracting companies used to fill cybersecurity positions. The conceptual framework used for this study was the organizational learning theory. A purposeful sample of 8 successful business managers with cybersecurity responsibilities working for U.S. DoD contracting companies that successfully hired cybersecurity professionals in Hampton Roads, VA participated in the study. Data collection included semistructured interviews and a review of job postings from the companies represented by the participants. Coding, content, and thematic analysis were the methods used to analyze data. Within-methods triangulation was used to add accuracy to the analysis. At the conclusion of the data analysis, two main themes emerged: maintaining contractual requirements and a strong recruiting process. Contractual requirements guided how hiring managers hired cybersecurity personnel and executed the contract. A strong hiring process added efficiency to the hiring process. The findings of the study may contribute to positive social change by encouraging the recruitment and retention of cybersecurity professionals. Skilled cybersecurity professionals may safeguard businesses and society from Internet crime, thereby encouraging the safe exchange and containment of data