Comparing Training Methodologies on Employee’s Cybersecurity Countermeasures Awareness and Skills in Traditional vs. Socio-Technical Programs

Goode, Jodi

01 January 2018

Organizations, which have established an effective technical layer of security, continue to experience difficulties triggered by cyber threats. Ultimately, the cybersecurity posture of an organization depends on appropriate actions taken by employees whose naive cybersecurity practices have been found to represent 72% to 95% of cybersecurity threats and vulnerabilities to organizations. However, employees cannot be held responsible for cybersecurity practices if they are not provided the education and training to acquire skills, which allow for identification of security threats along with the proper course of action to mitigate such threats. In addition, awareness of the importance of cybersecurity, the responsibility of protecting organizational data, as well as of emerging cybersecurity threats is quickly becoming essential as the threat landscape increases in sophistication at an alarming rate. Security education, training, and awareness (SETA) programs can be used to empower employees, who are often cited as the weakest link in information systems (IS) security due to limited knowledge and lacking skillsets. Quality SETA programs not only focus on raising employee awareness of responsibilities in relation to their organizations’ information assets but also train on the consequences of abuse while providing the necessary skills to help fulfill these requirements. The main goal of this research study was to empirically assess if there are any significant differences on employees’ cybersecurity countermeasures awareness (CCA) and cybersecurity skills (CyS) based on the use of two SETA program types (typical & socio-technical) and two SETA delivery methods (face-to-face & online). This study included a mixed method approach combining an expert panel, developmental research, and quantitative data collection. A panel of subject matter experts (SMEs) reviewed the proposed SETA program topics and measurement criteria for CCA per the Delphi methodology. The SMEs’ responses were incorporated into the development of two SETA program types with integrated vignette-based assessment of CCA and CyS, which were delivered via two methods. Vignette-based assessment provided a nonintrusive way of measurement in a pre- and post-assessment format. Once the programs had been reviewed by the SMEs to ensure validity and reliability, per the Delphi methodology, randomly assigned participants were asked to complete the pre-assessment, the SETA program, and then the post-assessment providing for the qualitative phase of the study. Data collected was analyzed using analysis of variance (ANOVA) and analysis of covariance (ANCOVA) to address the proposed research hypothesis. Recommendations for SETA program type and delivery method as a result of data analysis are provided.

Information technology Cybersecurity

cybersecurity countermeasures awareness

cybersecurity skills

security

security education

training

and awareness (SETA)

Computer Sciences

Examining the efficacy of cybersecurity education at Swedish universities : A qualitative inquiry through interviews

Behzadi, Bahareh

January 2024

In today's digital landscape, information technologies (IT) serve as strategic assets for organizations, underscoring the critical role of cybersecurity in safeguarding valuable assets and preserving organizational competitiveness. Cybersecurity practices aim to protect information systems from unauthorized access, data breaches, and cyber threats. Yet, cybersecurity experts face significant challenges in addressing evolving threats, necessitating continuous investment in IT systems and software. Moreover, the complexity of technology ecosystems exacerbates cybersecurity risks. To address these challenges, organizations hire individuals for specific cybersecurity roles, emphasizing the importance of cybersecurity education and training. By aligning with established frameworks like the European Cybersecurity Skills Framework (ECSF), educational programs can prepare students for diverse cybersecurity roles. This research investigates how Swedish universities align their cybersecurity program content with ECSF roles, aiming to enhance cybersecurity education and workforce development. The study utilized two data collection methods to address the research question. Firstly, information on course content was gathered from the websites of universities offering cybersecurity programs. A qualitative framework-based analysis was then conducted to map each course to the defined roles in the ECSF framework. A total of 91 compulsory course contents from 11 cybersecurity programs across various uni-versities were analyzed, excluding optional courses due to student choice variability. Additionally, seven semi-structured interviews were conducted with course coordinators from these programs. These interviews aimed to gather insights from individuals who play a significant role in shaping the educational curriculum at universities. The examination of cybersecurity courses in Swedish universities, aligned with the European Cybersecurity Education and Professional Training Minimum Reference Curriculum framework, provides insights into the educational environment. Despite variations, every role specified in the ECSF framework is addressed by at least one course in Swedish universities, ensuring students receive education. However, specialized courses such as 'Cybersecurity for Artificial Intelligence (AI)' and 'Machine Learning Security' are limited to only one university, indicating the necessity for wider implementation across institutions. Results of interviews revealed the lack of standardized frameworks guiding the design and evaluation of cybersecurity programs at Swedish universities, alongside limited awareness among stakeholders. This highlights the challenges hindering program adaptability in today’s evolving landscape, including faculty recruitment issues and a lack of industry collaboration. Moreover, the absence of systematic assessment methods for program effectiveness underscores a critical area for future exploration.

Cybersecurity educational programs

European cybersecurity skills framework

systematic assessment

role-based education

Information Systems, Social aspects