CHALLENGES OF THE SUCCESS OF CYBERSECURITY TRAINING PROGRAMS
Keywords:
awareness, information security, phishing, trainingAbstract
Internet-based attacks issue still terrifies the Internet community including the individuals and employees at public and private organizations. Many solutions were proposed to protect the Internet users against cybersecurity attacks. Most of the solutions target the technical side of information systems. Attackers, therefore, still able to bypass technical-based solutions through the human unawareness factor. Therefore, organizations have to implement effective training programs to enhance their employees’ security awareness and influence them to comply with security rules and policies. The problem which still exist is the challenges that confront the implementation process of effective security training programs. That is why, security training challenges need to be analyzed to highlight the factors that limit the success of training programs. In this paper, security training challenges are categorized into three types based on which aspect they occur and cause impacts. The challenges are categorized as; organization-related challenges, trainees-related challenges, and training program-related challenges
References
Anti-Phishing Working Group, “Phishing Activity Trends Report 3rd Quarter,” no. November, pp. 1–9, 2021.
H. Liang and Y. Xue, “Journal of the Association for Information Understanding Security Behaviors in Personal Computer Usage : A Threat Avoidance Perspective * Understanding Security Behaviors in Personal Computer Usage : A Threat Avoidance Perspective,” J. Assoc. Inf. Syst., vol. 11, no. 7, pp. 394–413, 2009.
R. Rohan, S. Funilkul, D. Pal, and W. Chutimaskul, “Understanding of Human Factors in Cybersecurity: A Systematic Literature Review,” no. April 2022, pp. 133–140, 2022, doi: 10.1109/compe53109.2021.9752358.
K. F. Tschakert and S. Ngamsuriyaroj, “Effectiveness of and user preferences for security awareness training methodologies,” Heliyon, vol. 5, no. 6, p. e02010, 2019, doi: 10.1016/j.heliyon.2019.e02010.
M. M. Al-Daeef, N. Basir, and M. M. Saudi, “Security awareness training: A review,” in Lecture Notes in Engineering and Computer Science, 2017, vol. 2229.
H. W. Glaspie and W. Karwowski, “Human factors in information security culture: A literature review,” Adv. Intell. Syst. Comput., vol. 593, pp. 267–280, 2018, doi: 10.1007/978-3-319-60585-2_25.
P. Rajivan and C. Gonzalez, “Creative persuasion: A study on adversarial behaviors and strategies in phishing attacks,” Front. Psychol., vol. 9, no. FEB, pp. 1–14, 2018, doi: 10.3389/fpsyg.2018.00135.
M. Alshaikh, S. B. Maynard, A. Ahmad, and S. Chang, “An exploratory study of current information security training and awareness practices in organizations,” Proc. Annu. Hawaii Int. Conf. Syst. Sci., vol. 2018-Janua, pp. 5085–5094, 2018, doi: 10.24251/hicss.2018.635.
Angraini, R. A. Alias, and Okfalisa, “A model of information security policy compliance for public universities: A conceptual model,” Adv. Intell. Syst. Comput., vol. 1073, pp. 810–818, 2020, doi: 10.1007/978-3-030-33582-3_76.
S. W. Schuetz, P. B. Lowry, and J. B. Thatcher, “Defending against spear-phishing: motivating users through fear appeal manipulations Technology: New Forms and Development Structures View project Security View project,” pp. 0–11, 2016, [Online]. Available: https://www.clemson.edu/business/about/profiles/?userid=JTHATCH
A. Vance, M. Siponen, and S. Pahnila, “Motivating IS security compliance: Insights from Habit and Protection Motivation Theory,” Inf. Manag., vol. 49, no. 3–4, pp. 190–198, 2012, doi: 10.1016/j.im.2012.04.002.
G. Dhillon, Y. Yakimini, A. Talib, and W. N. Picoto, “The Mediating Role of Psychological Empowerment in Information Security Compliance Intentions,” vol. 21, pp. 152–174, 2020, doi: 10.17705/1jais.00595.
A. Alnajim and M. Munro, “An evaluation of users’ tips effectiveness for phishing websites detection,” 3rd Int. Conf. Digit. Inf. Manag. ICDIM 2008, pp. 63–68, 2008, doi: 10.1109/ICDIM.2008.4746717.
P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, “Teaching Johnny not to fall for phish,” ACM Trans. Internet Technol., vol. 10, no. 2, pp. 1–31, 2010, doi: 10.1145/1754393.1754396.
M. Siponen, M. Adam Mahmood, and S. Pahnila, “Employees’ adherence to information security policies: An exploratory field study,” Inf. Manag., vol. 51, no. 2, pp. 217–224, 2014, doi: 10.1016/j.im.2013.08.006.
F. A. Aloul, “The Need for Effective Information Security Awareness,” J. Adv. Inf. Technol., vol. 3, no. 3, pp. 176–183, 2012, doi: 10.4304/jait.3.3.176-183.
“The Standard of Good Practice for Information Security.” 2007.
M. T. Siponen, “A conceptual foundation for organizational information security awareness A conceptual foundation for organizational information security awareness,” vol. 8, no. 1, pp. 31–41, 2006.
M. Wolf, D. Haworth, and L. Pietron, “Measuring An Information Security Awareness Program,” Rev. Bus. Inf. Syst., vol. 15, no. 3, pp. 9–22, 2011.
J. R. Anderson and C. D. Schunn, “Implications of the ACT-R Learning Theory : No Magic Bullets Implications of the ACT-R Learning Theory : No Magic Bullets Department of Psychology,” vol. 5, pp. 1–27, 2000.
C. Anderson, J. R., Matessa, M., & Lebiere, “ACT-R: A theory of higher level cognition and its relation to visual attention,” Human-computer interaction, vol. 12, no. 4. pp. 439–462, 1997.
A. Kunz, M. Volkamer, S. Stockhardt, S. Palberg, T. Lottermann, and E. Piegert, “NoPhish: Evaluation of a web application that teaches people being aware of phishing attacks,” Lect. Notes Informatics (LNI), Proc. - Ser. Gesellschaft fur Inform., vol. P-259, pp. 509–518, 2016, doi: 10.5445/IR/1000081981.
M. V. Benjamin Reinheimer, Lukas Aldag, Peter Mayer, Mattia Mossano, Reyhan Duezguen, Bettina Lofthouse, Tatiana von Landesberger, “An investigation of phishing awareness and education over time: When and how to best remind users.” 2020.
S. Stockhardt et al., “Teaching phishing-security: Which way is best?,” IFIP Adv. Inf. Commun. Technol., vol. 471, pp. 135–149, 2016, doi: 10.1007/978-3-319-33630-5_10.
L. Jaeger, “Information Security Awareness: Literature Review and Integrative Framework,” vol. 9, no. 3, pp. 4703–4712, 2018, doi: 10.24251/HICSS.2018.593.
M. Wilson and J. Hash, “Building an Information Architecture Checklist,” Organization, vol. 2, no. 2, pp. 25–42, 2002, doi: 10.1109/IEMBS.2010.5627684.
P. Model, M. Wilson, and P. Bowen, “NIST Special Publication 800-16 (Draft),” vol. 1, 2009.
A. Ghazvini and Z. Shukur, “Awareness Training Transfer and Information Security Content Development for Healthcare Industry,” Int. J. Adv. Comput. Sci. Appl., vol. 7, no. 5, pp. 361–370, 2016, doi: 10.14569/ijacsa.2016.070549.
T. Security, “Information Security Practices in Organizations : A Literature Review on Challenges and Related Measures”.
B. J. Guimaraes and M. Sc, “Information Security Awareness : Learning for Effectiveness,” 2021.
P. Kim and J. V Homan, “Measuring the Effectiveness of Information Security Training: a Comparative Analysis of Computer-Based Training and Instructor-Based Training,” Issues Inf. Syst., vol. 13, no. 1, pp. 215–224, 2012, doi: 10.48009/1_iis_2012_215-224.
J. Abawajy, “User preference of cyber security awareness delivery methods,” Behav. Inf. Technol., vol. 33, no. 3, pp. 237–248, 2014, doi: 10.1080/0144929X.2012.708787.
R. Schmid, “‘Entwickeln einer Awareness-Kampagne für einen sicheren Umgang mit dem Internet an mittelgrossen Berufs- oder Maturitaetsschulen,’” Hochschule Luzern, Wirtschaft, 2010. [Online]. Available: http://www.zanzara.ch/download/Masterarbeit_Awareness_mit_Logo_klein.pdf
R. Willison and M. Warkentin, “Beyond deterrence: An expanded view of employee computer abuse,” MIS Q. Manag. Inf. Syst., vol. 37, no. 1, pp. 1–20, 2013, doi: 10.25300/MISQ/2013/37.1.01.
P. Kumaraguru et al., “Getting users to pay attention to anti-phishing education,” Proc. anti-phishing Work. groups 2nd Annu. eCrime Res. summit - eCrime ’07, pp. 70–81, 2007, doi: 10.1145/1299015.1299022.
A. Da Veiga, “An information security training and awareness approach (ISTAAP) to instil an information security-positive culture,” Proc. 9th Int. Symp. Hum. Asp. Inf. Secur. Assur. HAISA 2015, no. Haisa, pp. 95–107, 2015.
N. Waly, R. Tassabehji, and M. Kamala, “Improving organisational information security management: The impact of training and awareness,” Proc. 14th IEEE Int. Conf. High Perform. Comput. Commun. HPCC-2012 - 9th IEEE Int. Conf. Embed. Softw. Syst. ICESS-2012, pp. 1270–1275, 2012, doi: 10.1109/HPCC.2012.187.
N. A. Bakar, M. Mohd, and R. Sulaiman, “Information leakage preventive training,” Proc. 2017 6th Int. Conf. Electr. Eng. Informatics Sustain. Soc. Through Digit. Innov. ICEEI 2017, vol. 2017-Novem, pp. 1–6, 2018, doi: 10.1109/ICEEI.2017.8312403.
E. J. F. M. Custers, “Long-term retention of basic science knowledge: A review study,” Adv. Heal. Sci. Educ., vol. 15, no. 1, pp. 109–128, 2010, doi: 10.1007/s10459-008-9101-y.
P. Kumaraguru et al., “School of Phish : A Real-World Evaluation of Anti-Phishing Training Categories and Subject Descriptors,” Proc. 5th Symp. Usable Priv. Secur. - SOUPS ’09, p. 12, 2009, doi: 10.1145/1572532.1572536.
T. Zhang, “Knowledge Expiration in Security Awareness Training,” Annu. ADFSL Conf. Digit. Forensics, Secur. Law, no. c, pp. 197–212, 2018.
M. Volkamer et al., “Developing and evaluating a five minute phishing awareness video,” Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 11033 LNCS, pp. 119–134, 2018, doi: 10.1007/978-3-319-98385-1_9.
G. Canova, M. Volkamer, C. Bergmann, and B. Reinheimer, “NoPhish App Evaluation: Lab and Retention Study,” 2015, doi: 10.14722/usec.2015.23009.
A. Jayatilaka et al., “Evaluation of Security Training and Awareness Programs: Review of Current Practices and Guideline,” pp. 1–12, 2021, [Online]. Available: http://arxiv.org/abs/2112.06356
Downloads
Published
Issue
Section
License
Copyright (c) 2022 Journal of Basic Sciences
This work is licensed under a Creative Commons Attribution 4.0 International License.
