This paper identifies and explains five key initiatives that three Australian organizations have implemented to improve their respective cyber security cultures. The five key initiatives are: ...identifying key cyber security behaviors, establishing a 'cyber security champion' network, developing a brand for the cyber team, building a cyber security hub, and aligning security awareness activities with internal and external campaigns. These key initiatives have helped organizations exceed minimal standards-compliance to create functional cyber security cultures. This paper discusses why these initiatives have been effective and provides practical guidance on their integration into organizational security program
Security breaches are prevalent in organizations and many of the breaches are attributed to human errors. As a result, the organizations need to increase their employees' security awareness and their ...capabilities to engage in safe cybersecurity behaviors. Many different psychological and social factors affect employees' cybersecurity behaviors. An important research question to explore is to what extent gender plays a role in mediating the factors that affect cybersecurity beliefs and behaviors of employees. In this vein, we conducted a cross-sectional survey study among employees of diverse organizations. We used structural equation modelling to assess the effect of gender as a moderator variable in the relations between psychosocial factors and self-reported cybersecurity behaviors. Our results show that gender has some effect in security self-efficacy (r = -0.435, p < 0.001), prior experience (r = -0.235, p < 0.001) and computer skills (r = -0.198, p < 0.001) and little effect in cues-to-action (r = -0.152, p < 0.001) and self-reported cybersecurity behaviors (r = -0.152, p < 0.001).
•The role of gender in employees' self-reported cybersecurity behaviors is explored.•Results show gender-wise differences for cybersecurity self-efficacy and behavior.•Training is needed to close the gender gap in cybersecurity self-efficacy.
As the amount of information, critical services, and interconnected computers and “things” in the cyberspace is steadily increasing, the number, sophistication, and impact of cyberattacks are ...becoming more and more significant. In the last decades, governmental and non-governmental organisations have become aware of this problem. However, the existing cybersecurity workforce has not been sufficient for satisfying the increasing demand for qualified cybersecurity professionals, and the shortfall will increase in the next years. Meanwhile, to address the increasing demand for cybersecurity professionals, academic institutions have been establishing cybersecurity programs, particularly, cybersecurity master programs.
This paper aims at analysing which cybersecurity topics are covered by existing cybersecurity master programs of top universities and how these topics are distributed through courses. It starts by reviewing the evolution and maturation of the cybersecurity discipline, focusing on the ACM efforts, which include the early addition of the Information Assurance and Security Knowledge Areas to the computer science curricula and, more recently, the development of curricular recommendations to support the definition of post-secondary cybersecurity programs. These latest guidelines are used to analyse and review 21 cybersecurity master programs, focusing on the contents of their courses, structure, admission requirements, duration, requirements for completion, and evolution.
Digital information and telecommunication technologies have not only become essential to individuals’ daily lives but also to a nation’s sustained economic growth, societal well-being, critical ...infrastructure resilience, and national security. Consequently, the protection of a nation’s cyber sovereignty from malicious acts is a major concern. This signifies the importance of cybersecurity education in facilitating the creation of a resilient cybersecurity ecosystem and in supporting cyber sovereignty. This study reviews a sample from world-leading countries National Cybersecurity Strategic Plans (NCSPs) and analyzes the associated existing cybersecurity education and training improvement initiatives. Furthermore, a proposal to adopt the Goal-Question-Outcomes(GQO)+Strategies paradigm into cybersecurity education and training programs curricula improvement to national cybersecurity strategic goals is presented. The proposal maps cybersecurity strategic goals to cybersecurity skills and competencies using the National Initiative for Cybersecurity Education (NICE) framework. The newly proposed cybersecurity education and training programs’ curricula learning outcomes were generated from the GQO+Strategies paradigm based on the three major cybersecurity strategic goals: Development of secure digital and information technology infrastructure and services, defending from sophisticated cyber threats, and enrichment of individuals’ cybersecurity maturity and awareness. It is highly recommended that cybersecurity university program administrators utilize the proposed GQO+Strategies to align their program’s curriculum to NCSP. Hence, closing the gap that exists with the relevant skills and sustain national cybersecurity workforces.
In the contemporary ever-evolving digital landscape, the paramount importance of fortifying national cybersecurity for safeguarding national security is unequivocal. Cybersecurity stands as a ...critically strategic field, demanding in-depth strategic planning. This research delves into the complexities of cybersecurity strategy, evaluation, and its myriad challenges, moving beyond conventional methodologies to illuminate this essential sector. A key contribution of our work is the creation of an innovative taxonomy that precisely classifies and categorizes strategic cybersecurity challenges, thereby enriching the discipline's lexicon and deepening the understanding of the cybersecurity environment. Additionally, this study conducts a thorough review of prevailing guidelines, models, standards, and frameworks for the assessment of cybersecurity, its maturity, and cyber power, rendering this research indispensable for decision-makers. It also methodically examines and presents a mathematical formulation for assessment indices. This provision of critical insights supports the crafting of holistic and adaptable cybersecurity strategies, promoting a robust cyber ecosystem. Consequently, nations are better positioned to adeptly manage the shifting sands of cyber threats, bolstering their global cybersecurity stature and ensuring the protection of national and international digital security interests.
Behavioral determinants of cybersecurity have gained greater attention among information technology experts in recent years. However, drivers of risky cybersecurity behavior have not been widely ...studied. This exploratory study examines the extent to which risky cybersecurity behavior is predicted by factors of cybersecurity-related avoidance behavior. Self-reported risky cybersecurity behavior was examined in light of technology threat avoidance factors in a sample of 184 working adults in the United States. Risky behaviors were measured using the instrument by Hadlington (2017), previously used by researchers to measure behavioral associations with non-technology threat avoidance-related items. Hierarchical regression noted significant predictive associations between several technology threat avoidance factors and self-reported risky cybersecurity behavior: perceived susceptibility (p = .027), perceived cost (p = .003), and self-efficacy (p = .043). Combined, these variables explained 9.4% of the adjusted variance in levels of risky cybersecurity behavior (p = .001). Effect size calculations revealed predictive impacts in the low-medium range. Age was also confirmed as a confounding covariate (p = .045). The impact findings uniquely distinguish this study from previous works. Findings also infer that training in protective behavior can mitigate a significant portion of risky cybersecurity behavior.
•Workplace cybersecurity risks include systems-specific and human behavioral concerns.•Impacts of protective inclinations on risky cybersecurity behavior have not been widely studied.•Technology threat avoidance factors were analyzed regarding risky cybersecurity behavior by 184 working adults in the US.•Perceived susceptibility, perceived cost, and self-efficacy significantly predicted risky cybersecurity behavior.•The predictors explained approximately 9.4% of variance in risky cybersecurity behavior by participants.
Investigating the cybersecurity threat landscape is important as it increases situational awareness and defensive agility. Therefore, in this study the cybersecurity threat landscape for Botswana was ...investigated from the perspective of Information Technology (IT) and Cybersecurity professionals in Botswana. Since Botswana has no publicized empirical data on cyber threats, a cybersecurity incidences dataset from the United Kingdom (UK) was first analyzed to understand cybersecurity trends there. Insights obtained from the UK dataset were used as a baseline to design a questionnaire which was sent out to 31 participants from 20 organizations in Botswana. The findings obtained from the questionnaire were analyzed and compared to findings from the UK. This work showed that a coordinated response to cybersecurity and collection of information related to threats and mitigations can help improve situational awareness and defensive agility.
Cybersecurity is a growing problem associated with everything an individual or an organization does that is facilitated by the Internet. It is a multi-facetted program that can be addressed by ...cybersecurity governance. However, research has shown that many organizations face at least five basic challenges of cybersecurity. In this study, we developed a model for an effective cybersecurity governance that hopes to address these challenges, conceptualized as factors that must continuously be measured and evaluated. They are: (1) Cybersecurity strategy; (2) Standardized processes, (3) Compliance, (4) Senior leadership oversight, and (5) Resources.
We conduct a comprehensive review covering academic publications and industry products relating to tools for cybersecurity awareness and education aimed at non-expert end-users developed in the past ...20 years. Through our search criteria, we identified 119 tools that we cataloged into five broad media categories. We explore current trends, assess their use of relevant instructional design principles, and review empirical evidence of the tools’ effectiveness. From our review, we provide an evaluation checklist and suggest that a more systematic approach to the design and evaluation of cybersecurity educational tools would be beneficial.