Preparing UK students for the workplace: The Acceptability of a Gamified Cybersecurity Training

This pilot study aims to assess the acceptability of Open University’s training platform called Gamified Intelligent Cyber Aptitude and Skills Training course (GICAST), as a means of improving cybersecurity knowledge, attitudes, and behaviours in undergraduate students using both quantitative and qualitative methods. A mixed-methods, pre-post experimental design was employed. 43 self-selected participants were recruited via an online register and posters at the university (excluding IT related courses). Participants completed the Human Aspects of Information Security Questionnaire (HAIS-Q) and Fear of Missing Out (FoMO) Scale. They then completed all games and quizzes in the GICAST course before repeating the HAIS-Q and FoMO scales as well as several open-ended questions. Pre-training HAIS-Q Knowledge, Attitude and Behaviour all improved from ‘reasonable’ pre-training levels to become ‘very high’ following training with large effect sizes estimated. FoMO improved to a lesser degree but also predicted the degree of HAIS-Q improvement suggesting it is relevant to the impact of this training course. Qualitatively, five key themes were generated: enjoyment, engagement, usability of GICAST, content relevance, and perceived educational efficacy. Overall, sentiment towards training was very positive as an enjoyable engaging and usable course. GICAST was found to be a feasible course for a wide range of students at a UK university: overall the training improved cyber-security awareness on a well validated measure with outcomes comparable to information-security-trained employees of a secure workplace. Despite a diversity of views about content, the course appears to be well suited to the non-IT undergraduate sector and may suit wide uptake to enhance students’ employability in a wide range of cybersecurity relevant contexts

Securing mobile devices: Evaluating the relationship between risk perception, organisational commitment and information security awareness

This study examined the relationship between perception of risk, organisational commitment, and Information Security Awareness (ISA). An online survey was completed by 269 working Australians. Perceptions of the Internet of Things (IoT) risk as it pertains to physically securing mobile devices was assessed. Organisational commitment and perception of personal risk significantly predicted ISA, as did two of the psychometric paradigm items. Demographic variables (age and gender) also significantly predicted variance in ISA, as did frequency of workplace information security training, albeit negatively. By identifying organisational commitment and perception of personal risk as significant predictors of ISA, this research has the potential to inform the development of information security training, aiming to enhance employee ISA.A. Reeves, K. Parsons, and D. Cali

The Role of Time Pressure, Cue Utilisation, and Information Security Awareness on Phishing Email Susceptibility

This item is only available electronically.Phishing emails are emails which attempt to solicit sensitive information from unsuspecting users. Phishing represents a major threat to information security. To develop interventions aimed at reducing phishing susceptibility, an understanding of how emails are evaluated to determine their legitimacy, and individual differences that may predict phishing email susceptibility is required. The current study aims to examine the relationship between phishing susceptibility and time pressure, along with individual differences in cue utilisation and information security awareness (ISA). In an online study, 127 participants were randomly assigned to either a 7-second or 15-second time condition and were presented with 60 emails (40 genuine and 20 phishing). Emails were presented one at a time for the duration corresponding with each participant’s time condition. Participants were required to sort each email into one of ten categories. The ‘phishing’ category was considered a hit when chosen following a phishing email, and a false alarm when following a genuine email. Participants also completed an assessment of cue utilisation in the domain of phishing, and the Human Aspects of Information Security Questionnaire (HAIS-Q). Statistical analyses revealed that a higher level of cue utilisation, a shorter email exposure duration and higher ISA resulted in reduced ability to differentiate between phishing and genuine emails. Furthermore, a positive correlation was found between cue utilisation and ISA, however, there was no interaction between time pressure and cue utilisation on phishing susceptibility. This study’s outcomes may aid in the development of training and education programs aimed at reducing phishing susceptibility.Thesis (B.PsychSc(Hons)) -- University of Adelaide, School of Psychology, 202

Investigating the Relationship between Learning Styles and Delivery Methods in Information Security Awareness Programs

Information security threats are continually growing as new technologies emerge. Literature confirms that the human factor is an important issue, as cyber threats and exploitation of vulnerabilities continue to proliferate due to human error. There are significant risks associated with this, such as the organisation's reputational damage and associated costs, to name a few. Information Security Awareness (ISA) programs have proven to be one of the best methods to reduce human linked security vulnerabilities and misbehaviour, which also reduces risks. The purpose of this research is twofold. First, it is to identify and explain the value of aligning ISA programs with user-preferred learning styles and delivery methods. Second, to indicate how aligning ISA programs with preferred learning styles and delivery methods influences security posture. Using the Knowledge, Attitude, and Behaviour (KAB) model as a theoretical lens, the study depicts how information security posture can be improved through the betterment of security knowledge, attitude, and behaviour. Additionally, the aligned learning styles and delivery methods' construct was added to the KAB model to investigate the research questions. The Human Aspect of Information Systems Questionnaire (HAIS-Q) was used to measure ISA levels of organisational employees in South Africa. The chosen parts of these HAIS-Q focused on password management, email and internet use. The ISA scores are essential for this research as they indicate the current ISA levels. This result can be used to improve information security posture. The Visual, Aural, Read/Write, and Kinaesthetic (VARK) inventory model was used to better understand the provided and preferred learning styles. Additionally, ISA programs focused on text-based, video-based, and game-based delivery methods commonly used and applied in prior academic research. Using a survey methodology, the study recruited 322 South African organisational employees to complete an online questionnaire. The questionnaire contained a subset of HAIS-Q, the VARK inventory model, delivery methods, and demographic questions. Bivariate Pearson correlation tests in conjunction with the ISA scores indicated that userpreferred learning styles achieve greater ISA. The results also showed that video-based delivery methods are the most preferred but does not yield the highest ISA scores. The highest ISA scores are achieved from a mixture of delivery methods. The study proposes user aligned learning styles and preferred delivery methods to positively influence the knowledge, attitude, and behaviour leading to improved cybersecurity resilience. As a result, this leads to self-reported and risk-averse behaviour, as end-users' self-efficacy has improved