Abstract
User behavior is widely acknowledged as a crucial part of cybersecurity, and training is the most commonly suggested way of ensuring secure behavior. However, an open challenge is to get users to engage with such training to a high enough extent. Consequently, this paper provides research into user acceptance of cybersecurity training. User acceptance can be understood from a socio-technical perspective and depends on the training itself, the organization where it is deployed, and the user expected to engage with it. A structured literature review is conducted to review previous research on cybersecurity training acceptance using a social-technical approach. The paper contributes with an overview of how user acceptance has been researched in the three social-technical dimensions and with what results. The review shows that previous research mostly focused on how the training method itself affects user acceptance, while research focusing on organizational or user-related dimensions is more scarce. Consequently, the paper calls for further research on the organizational aspects of user acceptance of cybersecurity training and how user acceptance can differ between user groups.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Uchendu, B., Nurse, J.R., Bada, M., Furnell, S.: Developing a cyber security culture: current practices and future needs. Comput. Secur. 109(c) (2021)
Joinson, A., van Steen, T.: Human aspects of cyber security: behaviour or culture change? Cyber Secur.: A Peer-Rev. J. 1(4), 351–360 (2018)
Bada, M., Sasse, A.M., Nurse, J.R.: Cyber security awareness campaigns: why do they fail to change behaviour? arXiv preprint (2019)
Reeves, A., Calic, D., Delfabbro, P.: “Get a red-hot poker and open up my eyes, it’s so boring” 1: employee perceptions of cybersecurity training. Comput. Secur. 106 (2021)
Kävrestad, J., Furnell, S., Nohlberg, M.: What parts of usable security are most important to users? In: Drevin, L., Miloslavskaya, N., Leung, W.S., von Solms, S. (eds.) WISE 2021. IAICT, vol. 615, pp. 126–139. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-80865-5_9
Baxter, G., Sommerville, I.: Socio-technical systems: from design methods to systems engineering. Interact. Comput. 23(1), 4–17 (2011)
Mumford, E.: The story of socio-technical design: reflections on its successes, failures and potential. Inf. Syst. J. 16(4), 317–342 (2006)
Venkatesh, V., Bala, H.: Technology acceptance model 3 and a research agenda on interventions. Decis. Sci. 39(2), 273–315 (2008)
Lee, Y., Kozar, K.A., Larsen, K.R.: The technology acceptance model: past, present, and future. Commun. Assoc. Inf. Syst. 12(1) (2003)
Kävrestad, J., Gellerstedt, M., Nohlberg, M., Rambusch, J.: Survey of users’ willingness to adopt and pay for cybersecurity training. In: Clarke, N., Furnell, S. (eds.) HAISA 2022, pp. 14–23. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-12172-2_2
Bello, A., Maurushat, A.: Technical and behavioural training and awareness solutions for mitigating ransomware attacks. In: Silhavy, R. (ed.) CSOC 2020. AISC, vol. 1226, pp. 164–176. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51974-2_14
Dahabiyeh, L.: Factors affecting organizational adoption and acceptance of computer-based security awareness training tools. Inf. Comput. Secur. 29(5), 836–849 (2021)
Paré, G., Kitsiou, S.: Methods for literature reviews. In: Handbook of eHealth Evaluation: An Evidence-Based Approach. https://www.ncbi.nlm.nih.gov/books/NBK481583/. Accessed 12 Apr 2023
Meline, T.: Selecting studies for systematic review: inclusion and exclusion criteria. Contemp. Issues Commun. Sci. Disord. 33, 21–27 (2006)
Jesson, J., Matheson, L., Lacey, F.M.: Doing Your Literature Review: Traditional and Systematic Techniques. Sage (2011)
Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29044-2
Page, M.J., et al.: The PRISMA 2020 statement: an updated guideline for reporting systematic reviews. Int. J. Surg. 88, 105906 (2021). https://doi.org/10.1016/j.ijsu.2021.105906
Sarkis-Onofre, R., Catalá-López, F., Aromataris, E., Lockwood, C.: How to properly use the PRISMA statement. Syst. Rev. 10(1), 1–3 (2021). https://doi.org/10.1186/s13643-021-01671-z
Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3(2), 77–101 (2006)
Haney, J.M., Lutters, W.G.: “It’s scary... It’s confusing... It’s dull”: how cybersecurity advocates overcome negative perceptions of security. In: Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX (2018)
Ma, S.F., Zhang, S.X., Li, G., Wu, Y.: Exploring information security education on social media use Perspective of uses and gratifications theory. Aslib J. Inf. Manag. 71(5), 618–636 (2019)
Shillair, R.: Talking about online safety: a qualitative study exploring the cybersecurity learning process of online labor market workers. In: Proceedings of the 34th ACM International Conference on the Design of Communication. ACM (2016)
Wash, R., Cooper, M.M.: Who provides phishing training? Facts, stories, and people like me. In: Proceedings of the 2018 Chi Conference on Human Factors in Computing Systems. ACM (2018)
Silic, M., Lowry, P.B.: Using design-science based gamification to improve organizational security training and compliance. J. Manag. Inf. Syst. 37(1), 129–161 (2020)
Shen, L.W., Mammi, H.K., Din, M.M.: Cyber security awareness game (CSAG) for secondary school students. In: Procedings of the 2021 International Conference on Data Science and Its Applications (ICoDSA). IEEE (2021)
Wen, Z.A., Lin, Z.Q., Chen, R., Andersen, E.: What hack: engaging anti-phishing training through a role-playing phishing simulation game. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. ACM (2019)
Jin, G., Tu, M., Kim, T.-H., Heffron, J., White, J.: Game based cybersecurity training for high school students. In: Proceedings of the 49th ACM Technical Symposium on Computer Science Education. ACM (2018)
Kletenik, D., Butbul, A., Chan, D., Kwok, D., LaSpina, M.: Game on: teaching cybersecurity to novices through the use of a serious game. J. Comput. Sci. Coll. 36(8), 11–21 (2021)
Cullinane, I., Huang, C., Sharkey, T., Moussavi, S.: Cyber security education through gaming cybersecurity games can be interactive, fun, educational and engaging. J. Comput. Sci. Coll. 30(6), 75–80 (2015)
Gokul, C.J., Pandit, S., Vaddepalli, S., Tupsamudre, H., Banahatti, V., Lodha, S.: PHISHY - a serious game to train enterprise users on phishing awareness. In: Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts. ACM (2018)
Stockett, J.: Dr. InfoSec: how to teach your community to stop worrying and love 2-factor authentication. In: Proceedings of the 2018 ACM SIGUCCS Annual Conference. ACM (2018)
Offor, P., Tejay, G.: Information systems security training in organizations: andragogical perspective. In: Proceedings of the 20th Americas Conference on Information Systems. AIS (2014)
Bélanger, F., Maier, J., Maier, M.: A longitudinal study on improving employee information protective knowledge and behaviors. Comput. Secur. 116, 102641 (2022)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kävrestad, J., Fallatah, W., Furnell, S. (2023). Cybersecurity Training Acceptance: A Literature Review. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-38530-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38529-2
Online ISBN: 978-3-031-38530-8
eBook Packages: Computer ScienceComputer Science (R0)