Skip to main content
SpringerLink
Log in

Towards a Framework for the Personalization of Cybersecurity Awareness

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2023)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 674))

Abstract

Significant evidence indicates that insecure employee behavior can be a major threat, undermining cybersecurity in organizations. Although cybersecurity awareness programs aim to enhance behavior and mitigate security risk, much of the current provision is essentially designed to offer a one-size-fits-all and does not pay attention to the differences in security behavior and other important traits that distinguish users. Similarly, while many guidelines exist to promote good practice, this in itself does not account for how people internalize security-related knowledge and make security-related decision. This research explores the impact of human-centric variables, organization culture and security awareness communication approaches on cybersecurity, leading towards the proposal of an initial concept for a Personalized Security Awareness Program (PSAP) framework, the intention of which is to recognize the relevant differences in the profile of the users that require awareness-related support, and then take account of this in how security messaging is delivered and how the resulting performance is evaluated. This work-in-progress paper presents the background justification for the approach and outlines the key elements to be considered in its further realization.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 119.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alzubaidi, A.: Measuring the level of cybersecurity awareness for cybercrime in Saudi Arabia. Heliyon 7(1), 1–13 (2021). https://doi.org/10.1016/j.heliyon.2021.e06016

    Article  Google Scholar 

  2. Zwilling, M., Klien, G., Lesjak, D., Łukasz Wiechetek, F.C., Basim, H.N. Cyber security awareness, knowledge and behavior: a comparative study. J. Comput. Inf. Syst. 62, 1–16 (2020). https://doi.org/10.1080/08874417.2020.1712269

  3. Furnell, S., Thomson, K.L.: From culture to disobedience: recognising the varying user acceptance of IT security. Comput. Fraud Secur. 2009(2), 5 (2009). https://doi.org/10.1016/S1361-3723(09)70019-3

    Article  Google Scholar 

  4. DSIT. Cyber security breaches survey 2023, Official Statistics, Department for Science, Innovation & Technology (2023). https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023#chapter-2-awareness-and-attitudes

  5. Bada, M., Sasse, A.M., Nurse, J.R. Cyber security awareness campaigns: why do they fail to change behaviour? In: International Conference on Cyber Security for Sustainable Society, pp. 118–131. Sustainable Society Network (2015)

    Google Scholar 

  6. CybSafe. Phishing dominates UK cyber threat landscape, shows analysis of latest ICO figures (2020). https://www.cybsafe.com/press-releases/phishing-dominates-uk-cyber-threat-landscape-shows-analysis-of-latest-ico-figures/

  7. Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W.: If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur. J. Inf. Syst. 18(2), 151–164 (2009)

    Article  Google Scholar 

  8. Donalds, C., Osei-Bryson, K.M.: Cybersecurity compliance behavior: exploring the influences of individual decision style and other antecedents. Int. J. Inf. Manage. 51, 102056 (2020)

    Article  Google Scholar 

  9. Thomson, M.E., von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6, 167–173 (1998)

    Article  Google Scholar 

  10. Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manag. Comput. Secur. 8(1), 31–41 (2000)

    Article  Google Scholar 

  11. Wilson, M., Hash, J. Building an information technology security awareness and training program. Nat. Inst. Stan. Technol. 800, 1–39 (2003). https://csrc.nist.gov/publications/detail/sp/800-50/final

  12. Ahmadi, R., Shybt, S.A.H.: Study of artificial neural networks in information security risk assessment. J. Manage. Acc. Stud. 8(2), 1–10 (2020)

    Google Scholar 

  13. Sharif, K.H., Ameen, S.Y. A review on gamification for information security training. In: 2021 International Conference of Modern Trends in Information and Communication Technology Industry (MTICTI), pp. 1–8. IEEE (2021)

    Google Scholar 

  14. Furnell, S., Vasileiou, I.: Security education and awareness: just let them burn? Netw. Secur. 2017(12), 5–9 (2017)

    Article  Google Scholar 

  15. van Steen, T., de Busser, E.: Security by behavioural design: a rapid review. The Hague: NCSC (202). https://hdl.handle.net/1887/3247918

  16. Tsohou, A., Karyda, M., Kokolakis, S.: Analysing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs. Comput. Secur. 52, 128–141 (2015)

    Article  Google Scholar 

  17. Furnell, S., Alotaibi, F., Esmael, R. Aligning security practice with policy: guiding and nudging towards better behavior. In: Proceedings of the 52nd Hawaii International Conference on System Sciences (HICSS 2019), Maui, Hawaii, January 2019, pp. 5618–5627 (2019)

    Google Scholar 

  18. Furnell, S., Esmael, R., Yang, W., Li, N.: Enhancing security behaviour by supporting the user. Comput. Secur. 75, 1–9 (2018)

    Article  Google Scholar 

  19. Alshaikh, M., Maynard, S., Chang, S., Ahmad, A. An exploratory study of current information security training and awareness practices in organization. In: Proceedings of the 51st Hawaii International Conference on System Sciences (2018)

    Google Scholar 

  20. Siponen, M., Willison, R.: Information security management standards: problems and solutions. Inf. Manage. 46(5), 267–270 (2009)

    Article  Google Scholar 

  21. Alshaikh, M., Humza, N., Ahmad, A., Maynard, S.B.: Toward sustainable behaviour change: an approach for cyber security education training and awareness”. In: Proceedings of the 27th European Conference on Information Systems (ECIS), Stockholm & Uppsala, Sweden, June 8–14 (2019)

    Google Scholar 

  22. Alotaibi, M., Alfehaid, W. Information security awareness: a review of methods, challenges and solutions. In: Proceedings of the ICITST-WorldCIS-WCST-WCICSS-2018, Cambridge, UK, pp. 10–13 (2018)

    Google Scholar 

  23. Karjalainen, M., Siponen, M., Puhakainen, P., Sarker, S..: one size does not fit all: different cultures require different information systems security interventions. In: PACIS 2013 Proceedings, vol. 98 (2013) http://aisel.aisnet.org/pacis2013/98

  24. Haney, J., Lutters, W.: Security awareness training for the workforce: moving beyond “check-the-box” compliance. Computer 53(10), 1–7 (2020)

    Article  Google Scholar 

  25. Aldawood, H., Skinner, G.: Reviewing cyber security social engineering training and awareness programs - Pitfalls and ongoing issues. Future Internet, 11(3) (2019). Art.73

    Google Scholar 

  26. Carpenter, P. Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers can Teach us about Driving Secure Behaviors, (pp.117–132, pp.109–116, pp.40–75). Wiley, Hoboken (2019)

    Google Scholar 

  27. Goode, J., Levy, Y., Hovav, A., Smith, J.: Expert assessment of organizational cybersecurity programs and development of vignettes to measure cybersecurity countermeasures awareness. Online J. Appl. Knowl. Manage. (OJAKM) 6(1), 54–66 (2018)

    Google Scholar 

  28. Vasileiou, I., Furnell, S.: Enhancing security education: recognising threshold concepts and other influencing factors. In: Proceedings of ICISSP 2018 - 4th International Conference on Information Systems Security and Privacy, Funchal, Madeira, Portugal, 22–24 January 2018, pp. 398–403 (2018)

    Google Scholar 

  29. Neigel, A.R., Claypoole, V.L., Waldfogle, G.E., Acharya, S., Hancock, G.M.: Holistic cyber hygiene education: accounting for the human factors. Comput. Secur. 92 (2020). Art.101731

    Google Scholar 

  30. Solomon, A., et al.: Contextual security awareness: a context-based approach for assessing the security awareness of users. Knowl.-Based Syst. 246, 108709 (2022)

    Article  Google Scholar 

  31. Ghafir, I., et al.: Security threats to critical infrastructure: the human factor. J. Supercomput. 74(10), 4986–5002 (2018). https://doi.org/10.1007/s11227-018-2337-2

    Article  Google Scholar 

  32. Tschakert, K.F., Ngamsuriyaroj, S.: Effectiveness of and user preferences for security awareness training methodologies. Heliyon 5(6), e02010 (2019)

    Article  Google Scholar 

  33. McLuhan, M., Fiore, Q.: The medium is the message. Newyork 123(1), 126–128 (1967)

    Google Scholar 

  34. Hong, Y., Furnell, S.: Understanding cybersecurity behavioral habits: insights from situational support. J. Inf. Secur. Appl. 57, 102710 (2021)

    Google Scholar 

  35. Jaeger, L. Information security awareness: Literature review and integrative framework. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 4703–4712 (2018). https://doi.org/10.24251/hicss.2018.593

  36. Maqousi, A., Balikhina, T., Mackay, M.: An effective method for information security awareness raising initiatives. Int. J. Comput. Sci. Inf. Technol. 5(2), 63 (2013)

    Google Scholar 

  37. Bauer, S., Bernroider, E.W.N.: From information security awareness to reasoned compliant action. ACM SIGMIS Database: DATABASE for Adv. Inf. Syst. 48(3), 44–68 (2017). https://doi.org/10.1145/3130515.3130519

    Article  Google Scholar 

  38. Haney, J.M., Lutters, W.G.: “It’s {Scary… It’s}{Confusing… It’s} Dull”: How Cybersecurity Advocates Overcome Negative Perceptions of Security. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp.411–425 (2018)

    Google Scholar 

  39. McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69, 151–156 (2017)

    Article  Google Scholar 

  40. Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016)

    Article  Google Scholar 

  41. Hariyanti, E., Djunaidy, A., Siahaan, D.O.: A conceptual model for information security risk considering business process perspective. In: 4th International Conference on Science and Technology (ICST) (2018)

    Google Scholar 

  42. Aurigemma, S., Mattson, T.: Exploring the effect of uncertainty avoidance on taking voluntary protective security actions. Comput. Secur. 73, 219–234 (2018)

    Article  Google Scholar 

  43. Schultz, P.: Changing behavior with normative feedback interventions: a field experiment on curbside recycling. Basic Appl. Soc. Psychol. 21, 25–36 (1999). https://doi.org/10.1207/s15324834basp2101_3

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, University of Nottingham, Nottingham, UK

    S. Alotaibi, Steven Furnell & Y. He

  2. Computer Science Department, Taif University, Taif, Kingdom of Saudi Arabia

    S. Alotaibi

  3. Center for Research in Information and Cyber Security, Nelson Mandela University, Gqeberha, South Africa

    Steven Furnell

Authors
  1. S. Alotaibi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Steven Furnell
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Y. He
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to S. Alotaibi .

Editor information

Editors and Affiliations

  1. University of Nottingham, Nottingham, UK

    Steven Furnell

  2. University of Plymouth, Plymouth, UK

    Nathan Clarke

Rights and permissions

Reprints and permissions

Copyright information

© 2023 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alotaibi, S., Furnell, S., He, Y. (2023). Towards a Framework for the Personalization of Cybersecurity Awareness. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38530-8_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38529-2

  • Online ISBN: 978-3-031-38530-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation