Search results

As insiders remain to be a main reason behind security breaches, effective information security awareness campaigns become critical in protecting organizations from security incidents. The purpose of this paper is to identify factors that influence organizational adoption and acceptance of computer-based security awareness training tools.

The paper uses content analysis of online reviews of the top ten computer-based security awareness training tools that received Gartner peer insights Customers’ Choice 2019 award.

This study identifies nine critical adoption and success factors. These are synthesized into a conceptual framework based on the technology–organization–environment framework. The findings reveal that technological, organizational and environmental factors come into play in adoption decisions but with varying degrees of importance.

This study highlights key factors that technology vendors should take into consideration when designing computer-based security awareness training tools to increase adoption rates.

This research offers a novel contribution to the literature on information security awareness delivery methods by identifying key factors that influence organizational adoption and acceptance of computer-based security awareness training tools. Those factors were identified using content analysis of online reviews, which is a new methodological approach to the information security awareness literature.

This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security posture as it adapts to remote working because of the Coronavirus 2019 (COVID-19). The pandemic forced businesses to move operations from offices to remote working. Given that this happened quickly for many, some firms had little time to factor in appropriate cyber-hygiene and incident prevention measures, thereby exposing themselves to vulnerabilities such as phishing and other scams.

The exercise was designed and facilitated through Microsoft Teams. The approach used included a literature review and an experiential learning method that used scenario-based, active pedagogical strategies such as case studies, simulations, role-playing and discussion-focused techniques to develop and evaluate processes and procedures used in preventing, detecting, mitigating, responding and recovering from cyber incidents.

The exercise highlighted the value of using scenario-based exercises in cyber security training. It elaborated that scenario-based incident response (IR) exercises are beneficial because well-crafted and well-executed exercises raise cyber security awareness among managers and IT professionals. Such activities with integrated operational and decision-making components enable businesses to evaluate IR and disaster recovery (DR) procedures, including communication flows, to improve decision-making at strategic levels and enhance the technical skills of cyber security personnel.

It maintained that the primary implication for practice is that they enhance security awareness through practical experiential, hands-on exercises such as this VIRTTX. These exercises bring together staff from across a business to evaluate existing IR/DR processes to determine if they are fit for purpose, establish existing gaps and identify strategies to prevent future threats, including during challenging circumstances such as the COVID-19 outbreak. Furthermore, the use of TTXs or TTEs for scenario-based incident response exercises was extremely useful for cyber security practice because well-crafted and well-executed exercises have been found to serve as valuable and effective tools for raising cyber security awareness among senior leadership, managers and IT professionals (Ulmanová, 2020).

This paper underlines the importance of practical, scenario-based cyber-IR training and reports on the experience of conducting a virtual IR/DR tabletop exercise within a large organisation.

Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses.

To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security.

Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level.

Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.

The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT).

Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided.

College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources.

Universities can assess their ISAT for students based on the findings of this study.

If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.

Railways are a well-known example of complex critical infrastructure, incorporating socio-technical systems with humans such as drivers, signallers, maintainers and passengers at the core. The technological evolution including interconnectedness and new ways of interaction lead to new security and safety risks that can be realised, both in terms of human error, and malicious and non-malicious behaviour. This study aims to identify the human factors (HF) and cyber-security risks relating to the role of signallers on the railways and explores strategies for the improvement of “Digital Resilience” – for the concept of a resilient railway.

Overall, 26 interviews were conducted with 21 participants from industry and academia.

The results showed that due to increased automation, both cyber-related threats and human error can impact signallers’ day-to-day operations – directly or indirectly (e.g. workload and safety-critical communications) – which could disrupt the railway services and potentially lead to safety-related catastrophic consequences. This study identifies cyber-related problems, including external threats; engineers not considering the human element in designs when specifying security controls; lack of security awareness among the rail industry; training gaps; organisational issues; and many unknown “unknowns”.

The authors discuss socio-technical principles through a hexagonal socio-technical framework and training needs analysis to mitigate against cyber-security issues and identify the predictive training needs of the signallers. This is supported by a systematic approach which considers both, safety and security factors, rather than waiting to learn from a cyber-attack retrospectively.

This paper aims to follow-up on previous research by studying the degree of management commitment to information and communication technology (ICT) safety and security within network companies in the electric power supply sector, implementation of awareness creation and training measures for ICT safety and security within these companies and the relationship between these two variables.

Data were mainly collected through a survey among users of ICT systems in network companies within the Norwegian electric power supply sector. In addition, qualitative data were gathered through interviews with representatives from the regulatory authorities, and observation studies were conducted at ICT safety and security conferences.

In accordance with previous research, our survey data showed a statistically significant correlation between management commitment to ICT safety and security and implementation of awareness creation and training measures. The majority of survey respondents viewed the degree of management commitment to ICT safety and security within their own organization as high, even though qualitative studies showed contradictory results. The network companies had implemented awareness creation and training measures to a varying degree. However, interactive awareness measures were used to a lesser extent than formal one-way communication methods.

The paper provides insight into management commitment to and implementation of awareness creation and training measures for ICT safety and security within network companies.

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.

Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.

Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.

The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.

In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.

The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.

The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

This study aims to introduce a team-centric leadership training program tailored for leaders of critical action teams. It emphasizes the critical role of effective teamwork in high-stakes environments.

The authors developed a team-centric leadership training program for crew leaders of airport security teams. The training program comprised in-class teaching on the psychological foundations of teamwork and practical simulations. The training program’s effectiveness was assessed at the individual and team levels using Kirkpatrick’s evaluation model to obtain a complete evaluation of its effectiveness. First, a pre- and posttraining questionnaire recorded changes in self-efficacy, knowledge and skills about teamwork at the individual level from 62 leaders. Second, the authors assessed the transfer effects of the team-centric leadership training on self-reported team processes and team performance during a work shift of 37 crews.

Results indicate an improvement in the application of teamwork skills but not in self-efficacy or knowledge among crew leaders who underwent the training. Additional analysis revealed that leaders with initially high self-efficacy in teamwork experienced a reduction posttraining, whereas those with initially low levels reported an increase. Teams led by trained leaders demonstrated a higher engagement in key team processes than those led by untrained leaders. No effect has been found on team performance.

This study offers a cost-effective alternative to conventional teamwork training methods, specifically designed for high-pressure security contexts. The authors advocate for the adoption of this training model by security professionals, aiming to elevate team processes and operational efficacy in critical action teams.

The aim of this research is to make users aware of the importance surrounding the issue of security and security awareness while at the same time making educators as well as other individuals aware of the differing effects of cultural dimensions into the learning process.

An inter‐cultural study was conducted to investigate if users from the USA and Taiwan exposed to the same situational awareness learning would have different performance in those security awareness outcomes.

The findings confirm that American users who received the situational learning outperformed those users who received the traditional face‐to‐face instruction. Taiwanese users did not perform significantly differently between these two treatments.

The study was only focused on two countries and therefore may limit its implications worldwide. But the study does show that global citizens also react differently to security awareness as would be expected due to differing cultures. Certainly, awareness of the risks and safeguards is the first line of defense that can be employed by any individual, but how individuals address these risks can be very dissimilar in different cultures. Therefore, the implications are apparent that the issue of security awareness should be studied from different cultural perspectives.

This paper offers original findings and value into the investigation of whether or not situational security awareness training is culturally‐bounded.

Through the use of effective training techniques and exercises, employees and users can be educated on how to make safe information security decisions. It is critical to the success of a total information security program that users are trained properly as they are a major layer of defense against malicious intent. The current methods of training people about information security are failing, and the number of user-related breaches increases every year.

By researching and observing current methods and comparing other fields of study, this paper describes the best methodology for modifying user behavior as it pertains to information security.

Through effective training practices, user negligence can be mitigated and controlled, and the information security program can be better practiced throughout entire organizations.

By using an effective training method to teach employees about information security, employees become an invaluable part of a company’s overall information security strategy. By using this method, employees are no longer the weak link in information security.