Expert assessment of organizational cybersecurity programs and development of vignettes to measure cybersecurity countermeasures awareness

Abstract

As organizational reliance on technology increases, cybersecurity attacks become more attractive to attackers and increasingly devastating to organizations. Due to lacking knowledge and skills, humans are often considered the most susceptible threat vector for cyber attacks. Previous studies in information systems (IS) literature have confirmed awareness techniques to be the first step in increasing employee cybersecurity-related knowledge, promoting security conscious decision-making, and the prevention of naive IS security behaviors. While training initiatives exist within many organizations, there appears to be a limited number of empirical research studies that focus on what security education, training, and awareness (SETA) programs should encompass. This includes topics to be covered, the most valuable method for delivery, and to what degree these factors play a part in the IS security practice of employees. The aim of this study was to use subject-matter experts (SMEs) to validate: 1) the key topics needed for two SETA program types (typical & socio-technical), 2) the measurement criteria for employees’ cybersecurity countermeasures awareness (CCA), 3) weights for the three CCA categories (awareness of policy, SETA, & monitoring) in the overall CCA measure, and 4) two SETA programs content with integrated vignette-based assessments for CCA. A Delphi methodology was utilized to gather feedback from 21 SMEs regarding cybersecurity topics for organizational SETA programs, validation of SETA training content, and to develop a vignette based measure of CCA. Results show that awareness of the organizational cybersecurity policy was the most important category for the overall CCA measure with 41%, followed by awareness of SETA program content, with 34%, while awareness of monitoring was 25%. The paper concludes with discussions and future research agenda.