Application of intervention mapping in cybersecurity education design

Education in Cybersecurity is considered one of the key challenges facing the modern digitized world. Several frameworks, e.g., developed by NIST or ENISA, have defined requirements for cybersecurity education but do not give recommendations for their development. Developing appropriate education offerings need to incorporate theory-based approaches that are evidence supported. Adopting the Intervention Mapping paradigm, we propose an educational framework incorporating validated theoretical and evidence-based approaches to cybersecurity education encompassing stakeholders' input, identified competency needs, and how to implement and evaluate learning outcomes. This paper presents a case study of how Intervention Mapping can be used to help design cybersecurity education, discuss challenges in educational and professional aspects of cybersecurity, and present an applied educational approach based on Intervention Mapping and its evaluation.publishedVersio

Establishing Human Factors Programs to Mitigate Blind Spots in Cybersecurity

Most business organizations lack a human factors program and remain inattentive to human-centric issues and human-related problems that are leading to cybersecurity incidents, significant financial losses, reputational damage, and lost production. Other industries such as aviation, nuclear power, healthcare, and industrial safety leverage human factors problems as platforms to reduce human errors. The underappreciation and under-exploration of human factors in cybersecurity threatens the existence of every business. Cybersecurity operations are becoming increasingly abstruse and technologically sophisticated resulting in heightened opportunities for human errors. A human factors program can provide the foundation to address and mitigate human-centric issues, properly train the workforce, and integrate psychology-based professionals as stakeholders to remediate human factors-based problems

Editorial

Editorial for Volume 2023, Issue

Cybersecurity, Technology, and Society: Developing an Interdisciplinary, Open, General Education Cybersecurity Course

This paper describes an interdisciplinary effort involving faculty from five different disciplines who came together to develop an interdisciplinary, open, general education cybersecurity course. The course, Cybersecurity, Technology, and Society, brings together ideas from interdisciplinary studies, information technology, engineering, business, computer science, criminal justice, and philosophy to provide students an interdisciplinary introduction to cybersecurity. We provide an overview of the rationale for the course, the process the authors went through developing the course, a summary of the course modules, details about the open education resources used as readings, and the types of assignments included in the class. We conclude by offering recommendations for others developing similar courses

The Effect of Cybersecurity Training on Government Employee’s Knowledge of Cybersecurity Issues and Practices

There is an ever-pressing need for cybersecurity awareness and implementation of learning strategies in the workplace to mitigate the increased threat posed by cyber-attacks and exacerbated by an untrained workforce. The lack of cybersecurity knowledge amongst government employees has increased to critical levels due to the amount of sensitive information their agencies are responsible for. The digital compromise of a government entity often leads to a compromise of constituent data along with the disruption of public services (Axelrod, 2019; Yazdanpanahi, 2021). The need for awareness is further complicated by agencies looking to cater to a digital culture looking for a balance in government transparency and access by providing more services online. This act of modernizing services for a connected constituency adds further risk to the agency by exposing its workforce to threats associated with the internet-connected world. If their workforce is not prepared for the tactics used by cybercriminals, the consequences can be both fiscally and politically reprehensible. This study considers the knowledge enhancements resulting from the incorporation of cybersecurity training for local government employees in South Texas and the potential effects it will have on the cybersecurity awareness of the population. This study requires the collection and analysis of the following archival data: the results of a state-mandated cybersecurity awareness training and Cybersecurity Awareness Survey, which was adapted from the Pew Research Center’s (2016) Cybersecurity Knowledge Quiz. The purpose of this study is to analyze the effect of a cybersecurity awareness training program on government employees’ knowledge of cybersecurity issues and their ability to mitigate cybersecurity threats

Exploring Strategies for Recruiting and Retaining Diverse Cybersecurity Professionals

The cyber threat landscape has led some cybersecurity leaders to focus on a holistic approach encompassing people, processes, and technology to make their government agencies and organizations more responsive to a more diverse and inclusive cyber workforce to protect critical infrastructure from hackers or cybercriminals intent on causing harm. This qualitative multiple case study used Schein’s organizational culture theory to explore strategies used by cybersecurity leaders to attract, recruit, and retain diverse cybersecurity professionals to effectively and efficiently protect sensitive systems from rising cyber threats. The study\u27s population consisted of cybersecurity leaders from 3 government agencies and 9 organizations in small, medium, and large enterprises in the Atlanta, Georgia, metropolitan area in the United States. The data collection process included semistructured interviews of cybersecurity leaders (N = 12) and the analysis of publicly available documents and presentations (n = 20). Data triangulation and member checking produced major and minor themes to increase the study findings’ validity. Thematic analysis was used to identify 5 prominent themes: maintain a diverse and inclusive approach to recruitment; continuous training and development; maintain a culture of openness and teamwork; top leadership support; and overcoming challenges to cyber talent attraction, recruitment, and retention. The study findings showed that valuing all diversity may enable cyber teams to execute cybersecurity functions and missions promptly with a variation of thought and lenses. The study findings may contribute to positive social change by improving diversity, inclusion, work-life balance, morale, stress-levels, and opportunities for women and minorities in the cyber workforce

Theory of Experiential Career Exploration Technology (TECET): Increasing cybersecurity career interest through playable case studies

There is a large demand to fill cybersecurity jobs. To alleviate this need, it is important to generate interest in cybersecurity as a career. One way to do this is through job shadowing and internships. Using design science principles, we have built and tested a playable case study (PCS) where participants can act out a virtual internship and learn relevant cybersecurity skills. We ran a study with students in introductory university courses where they played through a simulated internship at a penetration testing company called CyberMatics. In the study we showed that a PCS format helps students 1) better understand what skills and traits are needed for, 2) more firmly decide whether to pursue, and 3) increase their confidence in their ability to succeed in a career in cybersecurity. Through this study we propose the Theory of Experiential Career Exploration Technology (TECET)

Neurodiverse Knowledge, Skills and Ability Assessment for Cyber Security

Cyber attacks have become commonplace and cause harm to IT systems operated by governments, businesses and citizens. As a result, there has been substantial job growth within the cyber security industry to try and meet the need for network defence. However, due to fierce competition for with the relevant skills there is a shortfall in skilled workers able to fill these roles. The goal of this project is to develop, validate and verify a novel solution for the recruitment of highly competent cyber security staff who can defend our nation against capable and well-funded adversaries. The proposed solution involves the development of a training scheme to train neurodiverse individuals for these roles. There is evidence for their interest and aptitude within the sector, but no research has been undertaken to establish how best to train them in the context of their individual differences

Think twice before you click! : exploring the role of human factors in cybersecurity and privacy within healthcare organizations

The urgent need to protect sensitive patient data and preserve the integrity of healthcare services has propelled the exploration of cybersecurity and privacy within healthcare organizations [1]. Recognizing that advanced technology and robust security measures alone are insufficient [2], our research focuses on the often-overlooked human element that significantly influences the efficacy of these safeguards. Our motivation stems from the realization that individual behaviors, decision-making processes, and organizational culture can be both the weakest link and the most potent tool in achieving a secure environment. Understanding these human dimensions is paramount as even the most sophisticated protocols can be undone by a single lapse in judgment. This research explores the impact of human behavior on cybersecurity and privacy within healthcare organizations and presents a new methodological approach for measuring and raising awareness among healthcare employees. Understanding the human influence in cybersecurity and privacy is critical for mitigating risks and strengthening overall security posture. Moreover, the thesis aims to place emphasis on the human aspects focusing more on the often-overlooked factors that can shape the effectiveness of cybersecurity and privacy measures within healthcare organizations. We have highlighted factors such as employee awareness, knowledge, and behavior that play a pivotal role in preventing security incidents and data breaches [1]. By focusing on how social engineering attacks exploit human vulnerabilities, we underline the necessity to address these human influenced aspects. The existing literature highlights the crucial role that human factors and awareness training play in strengthening cyber resilience, especially within the healthcare sector [1]. Developing well-customized training programs, along with fostering a robust organizational culture, is vital for encouraging a secure and protected digital healthcare setting [3]. Building on the recognized significance of human influence in cybersecurity within healthcare organizations, a systematic literature review became indispensable. The existing body of research might not have fully captured all ways in which human factors, such as psychology, behavior, and organizational culture, intertwined with technological aspects. A systematic literature review served as a robust foundation to collate, analyze, and synthesize existing knowledge, and to identify gaps where further research was needed. In complement to our systematic literature review and investigation of human factors, our research introduced a new methodological approach through a concept study based on an exploratory survey [4]. Recognizing the need to uncover intricate human behavior and psychology in the context of cybersecurity, we designed this survey to probe the multifaceted dimensions of cybersecurity awareness. The exploratory nature of the survey allowed us to explore cognitive, emotional, and behavioral aspects, capturing information that is often overlooked in conventional analyses. By employing this tailored survey, we were able to collect insights that provided a more textured understanding of how individuals within healthcare organizations perceive and engage with cybersecurity measures

A Novel Approach to the Behavioral Aspects of Cybersecurity

The Internet and cyberspace are inseparable aspects of everyone's life. Cyberspace is a concept that describes widespread, interconnected, and online digital technology. Cyberspace refers to the online world that is separate from everyday reality. Since the internet is a recent advance in human lives, there are many unknown and unpredictable aspects to it that sometimes can be catastrophic to users in financial aspects, high-tech industry, and healthcare. Cybersecurity failures are usually caused by human errors or their lack of knowledge. According to the International Business Machines Corporation (IBM) X-Force Threat Intelligence Index in 2020, around 8.5 billion records were compromised in 2019 due to failures of insiders, which is an increase of more than 200 percent compared to the compromised records in 2018. In another survey performed by the Ernst and Young Global Information Security during 2018-2019, it is reported that 34% of the organizations stated that employees who are inattentive or do not have the necessary knowledge are the principal vulnerabilities of cybersecurity, and 22% of the organizations indicated that phishing is the main threat to them. Inattentive users are one of the reasons for data breaches and cyberattacks. The National Cyber Security Centre (NCSC) in the United Kingdom observed that 23.2 million users who were victims of cybersecurity attacks used a carelessly selected password, which is 123456, as their account password. The Annual Cybersecurity Report published by Cisco in 2018 announced that phishing and spear phishing emails are the root causes of many cybersecurity attacks in recent years. Hence, enhancing the cybersecurity behaviors of both personal users and organizations can protect vulnerable users from cyber threats. Both human factors and technological aspects of cybersecurity should be addressed in organizations for a safer environment