A systematic review of current cybersecurity training methods

Abstract

Cybersecurity continues to be a growing issue, with cyberattacks causing financial losses and loss of productivity and reputation. Especially in an organisational setting, end-user behaviour plays an essential role in achieving a high level of cybersecurity. One way to improve end-user cybersecurity behaviour is through comprehensive training programmes.There are many contradictory statements and findings with regard to the optimal way to conduct a behavioural cybersecurity training. We conducted a systematic review to create a comprehensive overview of the methods used in cybersecurity training and their effectiveness in improving organisational cybersecurity behaviours. Web of Science, ACM Digital Library, ProQuest, PubMed and PsycINFO were searched and 16,771 papers were identified. After title, abstract and full text screenings were conducted, 142 relevant papers were included in our analysis.The analysis shows that the majority of studies report positive effects of training, regardless of the cybersecurity topic that was addressed or the training method that was employed. Game-based training methods were used most often. Most studies used a non-experimental design to test effectiveness, with pretest-posttest designs being the most frequent. Sample sizes were often small and many interventions were not tested on employees but other populations. Further findings with regard to intervention design, characteristics and evaluation are discussed.