Abstract
Significant evidence indicates that insecure employee behavior can be a major threat, undermining cybersecurity in organizations. Although cybersecurity awareness programs aim to enhance behavior and mitigate security risk, much of the current provision is essentially designed to offer a one-size-fits-all and does not pay attention to the differences in security behavior and other important traits that distinguish users. Similarly, while many guidelines exist to promote good practice, this in itself does not account for how people internalize security-related knowledge and make security-related decision. This research explores the impact of human-centric variables, organization culture and security awareness communication approaches on cybersecurity, leading towards the proposal of an initial concept for a Personalized Security Awareness Program (PSAP) framework, the intention of which is to recognize the relevant differences in the profile of the users that require awareness-related support, and then take account of this in how security messaging is delivered and how the resulting performance is evaluated. This work-in-progress paper presents the background justification for the approach and outlines the key elements to be considered in its further realization.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alzubaidi, A.: Measuring the level of cybersecurity awareness for cybercrime in Saudi Arabia. Heliyon 7(1), 1–13 (2021). https://doi.org/10.1016/j.heliyon.2021.e06016
Zwilling, M., Klien, G., Lesjak, D., Łukasz Wiechetek, F.C., Basim, H.N. Cyber security awareness, knowledge and behavior: a comparative study. J. Comput. Inf. Syst. 62, 1–16 (2020). https://doi.org/10.1080/08874417.2020.1712269
Furnell, S., Thomson, K.L.: From culture to disobedience: recognising the varying user acceptance of IT security. Comput. Fraud Secur. 2009(2), 5 (2009). https://doi.org/10.1016/S1361-3723(09)70019-3
DSIT. Cyber security breaches survey 2023, Official Statistics, Department for Science, Innovation & Technology (2023). https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023#chapter-2-awareness-and-attitudes
Bada, M., Sasse, A.M., Nurse, J.R. Cyber security awareness campaigns: why do they fail to change behaviour? In: International Conference on Cyber Security for Sustainable Society, pp. 118–131. Sustainable Society Network (2015)
CybSafe. Phishing dominates UK cyber threat landscape, shows analysis of latest ICO figures (2020). https://www.cybsafe.com/press-releases/phishing-dominates-uk-cyber-threat-landscape-shows-analysis-of-latest-ico-figures/
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W.: If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur. J. Inf. Syst. 18(2), 151–164 (2009)
Donalds, C., Osei-Bryson, K.M.: Cybersecurity compliance behavior: exploring the influences of individual decision style and other antecedents. Int. J. Inf. Manage. 51, 102056 (2020)
Thomson, M.E., von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6, 167–173 (1998)
Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manag. Comput. Secur. 8(1), 31–41 (2000)
Wilson, M., Hash, J. Building an information technology security awareness and training program. Nat. Inst. Stan. Technol. 800, 1–39 (2003). https://csrc.nist.gov/publications/detail/sp/800-50/final
Ahmadi, R., Shybt, S.A.H.: Study of artificial neural networks in information security risk assessment. J. Manage. Acc. Stud. 8(2), 1–10 (2020)
Sharif, K.H., Ameen, S.Y. A review on gamification for information security training. In: 2021 International Conference of Modern Trends in Information and Communication Technology Industry (MTICTI), pp. 1–8. IEEE (2021)
Furnell, S., Vasileiou, I.: Security education and awareness: just let them burn? Netw. Secur. 2017(12), 5–9 (2017)
van Steen, T., de Busser, E.: Security by behavioural design: a rapid review. The Hague: NCSC (202). https://hdl.handle.net/1887/3247918
Tsohou, A., Karyda, M., Kokolakis, S.: Analysing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs. Comput. Secur. 52, 128–141 (2015)
Furnell, S., Alotaibi, F., Esmael, R. Aligning security practice with policy: guiding and nudging towards better behavior. In: Proceedings of the 52nd Hawaii International Conference on System Sciences (HICSS 2019), Maui, Hawaii, January 2019, pp. 5618–5627 (2019)
Furnell, S., Esmael, R., Yang, W., Li, N.: Enhancing security behaviour by supporting the user. Comput. Secur. 75, 1–9 (2018)
Alshaikh, M., Maynard, S., Chang, S., Ahmad, A. An exploratory study of current information security training and awareness practices in organization. In: Proceedings of the 51st Hawaii International Conference on System Sciences (2018)
Siponen, M., Willison, R.: Information security management standards: problems and solutions. Inf. Manage. 46(5), 267–270 (2009)
Alshaikh, M., Humza, N., Ahmad, A., Maynard, S.B.: Toward sustainable behaviour change: an approach for cyber security education training and awareness”. In: Proceedings of the 27th European Conference on Information Systems (ECIS), Stockholm & Uppsala, Sweden, June 8–14 (2019)
Alotaibi, M., Alfehaid, W. Information security awareness: a review of methods, challenges and solutions. In: Proceedings of the ICITST-WorldCIS-WCST-WCICSS-2018, Cambridge, UK, pp. 10–13 (2018)
Karjalainen, M., Siponen, M., Puhakainen, P., Sarker, S..: one size does not fit all: different cultures require different information systems security interventions. In: PACIS 2013 Proceedings, vol. 98 (2013) http://aisel.aisnet.org/pacis2013/98
Haney, J., Lutters, W.: Security awareness training for the workforce: moving beyond “check-the-box” compliance. Computer 53(10), 1–7 (2020)
Aldawood, H., Skinner, G.: Reviewing cyber security social engineering training and awareness programs - Pitfalls and ongoing issues. Future Internet, 11(3) (2019). Art.73
Carpenter, P. Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers can Teach us about Driving Secure Behaviors, (pp.117–132, pp.109–116, pp.40–75). Wiley, Hoboken (2019)
Goode, J., Levy, Y., Hovav, A., Smith, J.: Expert assessment of organizational cybersecurity programs and development of vignettes to measure cybersecurity countermeasures awareness. Online J. Appl. Knowl. Manage. (OJAKM) 6(1), 54–66 (2018)
Vasileiou, I., Furnell, S.: Enhancing security education: recognising threshold concepts and other influencing factors. In: Proceedings of ICISSP 2018 - 4th International Conference on Information Systems Security and Privacy, Funchal, Madeira, Portugal, 22–24 January 2018, pp. 398–403 (2018)
Neigel, A.R., Claypoole, V.L., Waldfogle, G.E., Acharya, S., Hancock, G.M.: Holistic cyber hygiene education: accounting for the human factors. Comput. Secur. 92 (2020). Art.101731
Solomon, A., et al.: Contextual security awareness: a context-based approach for assessing the security awareness of users. Knowl.-Based Syst. 246, 108709 (2022)
Ghafir, I., et al.: Security threats to critical infrastructure: the human factor. J. Supercomput. 74(10), 4986–5002 (2018). https://doi.org/10.1007/s11227-018-2337-2
Tschakert, K.F., Ngamsuriyaroj, S.: Effectiveness of and user preferences for security awareness training methodologies. Heliyon 5(6), e02010 (2019)
McLuhan, M., Fiore, Q.: The medium is the message. Newyork 123(1), 126–128 (1967)
Hong, Y., Furnell, S.: Understanding cybersecurity behavioral habits: insights from situational support. J. Inf. Secur. Appl. 57, 102710 (2021)
Jaeger, L. Information security awareness: Literature review and integrative framework. In: Proceedings of the 51st Hawaii International Conference on System Sciences, pp. 4703–4712 (2018). https://doi.org/10.24251/hicss.2018.593
Maqousi, A., Balikhina, T., Mackay, M.: An effective method for information security awareness raising initiatives. Int. J. Comput. Sci. Inf. Technol. 5(2), 63 (2013)
Bauer, S., Bernroider, E.W.N.: From information security awareness to reasoned compliant action. ACM SIGMIS Database: DATABASE for Adv. Inf. Syst. 48(3), 44–68 (2017). https://doi.org/10.1145/3130515.3130519
Haney, J.M., Lutters, W.G.: “It’s {Scary… It’s}{Confusing… It’s} Dull”: How Cybersecurity Advocates Overcome Negative Perceptions of Security. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp.411–425 (2018)
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69, 151–156 (2017)
Shameli-Sendi, A., Aghababaei-Barzegar, R., Cheriet, M.: Taxonomy of information security risk assessment (ISRA). Comput. Secur. 57, 14–30 (2016)
Hariyanti, E., Djunaidy, A., Siahaan, D.O.: A conceptual model for information security risk considering business process perspective. In: 4th International Conference on Science and Technology (ICST) (2018)
Aurigemma, S., Mattson, T.: Exploring the effect of uncertainty avoidance on taking voluntary protective security actions. Comput. Secur. 73, 219–234 (2018)
Schultz, P.: Changing behavior with normative feedback interventions: a field experiment on curbside recycling. Basic Appl. Soc. Psychol. 21, 25–36 (1999). https://doi.org/10.1207/s15324834basp2101_3
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Alotaibi, S., Furnell, S., He, Y. (2023). Towards a Framework for the Personalization of Cybersecurity Awareness. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-38530-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38529-2
Online ISBN: 978-3-031-38530-8
eBook Packages: Computer ScienceComputer Science (R0)