Understanding Factors in Cybersecurity Education and Training

FACTORS CONTRIBUTING TO CYBERSECURITY EDUCATION AND TRAINING PRINCE ZAQUEU & TENDANI MAWELA NEMISA 2023 DIGITAL SKILLS COLLOQUIUM 15-17 FEBRUARY 2023

BACKGROUND TO STUDY Increasing reliance on ICT s and the internet throughout various sectors of society. Noted an upsurge in cyber threats and cyber related crimes. Additionally, organizations shifted to digital modes of operation due to COVID-19. Consumers have also progressively accepted more online formats of shopping, education, entertainment and digital communication channels. Trend in people falling prey to cybercrimes and challenges with cybersecurity continues on an upward trajectory.

CYBERSECURITY AND CYBERCRIME Cybersecurity The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that are used to protect users from cybercrimes (von Solms & van Niekerk, 2013). Securing hardware, software, data and information that exists in an online system from various types of breach (Tirumala, Valluri, & Babu, 2019). Cybercrime Broad term and encompasses criminal activity involving computers or computer networks. Due to increasing digital interconnectivity, millions of people worldwide are continuing to be negatively affected by cybercrimes annually.

IMPACT OF CYBERCRIME Organizations and Individuals are targets. Illegal access to IT systems Cyber espionage Data or system interference Cyber extortion and internet fraud Phishing Malware, trojans and ransomware Identity theft and loss of sensitive information such as credit card details or passwords Approximately 15 million data records were exposed worldwide through data breaches over the 3rd quarter of 2022 representing a 37% increase from the previous quarter (Statista, 2022). There is concern that these trends will continue to grow.

CYBERSECURITY AND CYBERCRIME Although the increasing policing, regulations and security advances assist in mitigating and preventing some of the damage done by cyber criminals, cybercrime continues to be a burdening issue affecting millions of people, organisations, and governments every year. A significant contributing factor to the prevalence of cybersecurity related challenges is vulnerabilities in systems and as well as in people (Platsis, 2019).

CYBERSECURITY AND CYBERCRIME Literature reports that the human elements are a dominant component of cybersecurity. People s behaviours, personality traits, online activities, and attitudes towards technology impact their vulnerability online (Monteith, et al., 2021). Cybersecurity awareness, education, and training are = areas that can be considered to improve a user s cybersecurity detection and prevention competencies and skills (Holdsworth & Apeh, 2017) Study adopted the SLR method and aimed to address the following research question: What are the contributing factors for effective cyber security education, training, and awareness programs?

RESEARCH METHOD SLR IEEE Xplore Digital Library; WorldCat Discovery Service; Emerald Insight; ProQuest; and ScienceDirect Inclusion Criteria Exclusion Criteria 1. Publications written in the English language. Publications that presents a method, technique, or process for educating, training, or raising awareness regarding cyber security and cybercrime. Publications that show how education, training, and awareness programs have worked. Publications explaining cyber security and cybercrime. Publications that were published between 2005 and 2020. 1. Publications where only the abstract but not the full text is available. Duplicate papers. Publications not relating to cybercrime or cyber security. Publications focused on technological applications to deter cybercrimes, not relating to education, training and awareness. Search string incl: 2. Critical success factors 2. 3. Cybersecurity Awareness 3. 4. Education Training After removing duplicates, screening, evaluation and quality assessment final 58 papers analyzed for the study. 4. Data was analysed using the thematic analysis approach with the aim of identifying factors contributing to cybersecurity awareness, education and training to support appropriate skills and behaviour. 5.

FINDINGS & DISCUSSION 1. Cybersecurity Awareness Assessing awareness of individuals prior to training essential. Adopt multiple methods to assess users cybersecurity awareness. E.g.: Survey- based questionnaires, vocabulary tests, observations, gaming tools, focus groups Though understanding of awareness tailor the programs for the users perceived vulnerabilities. Users should be assessed based on their vulnerabilities in cybersecurity awareness and education as unified training has its drawbacks. The education and training should be based on the person or groups actual awareness level, responsibilities and use of the internet.

FINDINGS & DISCUSSION 2. Training Approaches Consider which approach will be effective for the users being trained. There are two broad types of training which are computer-based training and instruction- led training. Computer-based training can be conducted by training videos, guided instructions, interactive applications, web-based courses, and use assessments, quizzes, and mini-challenges to access the trainee s knowledge The advantages of computer-based training are that it is a cost-effective training method, that is easy to deliver and has a flexible structure that provides easy access to information. However, computer-based training does not provide sufficient support or help and can also feel redundant for a skilled trainee.

FINDINGS & DISCUSSION 2. Training Approaches Gamification, in the context of cybersecurity training, is a technique that uses game design and principles to provide cybersecurity education. Gamification is a tool that allows e-learning to be interesting and engaging thus capturing the user s full attention and leading to better retention. Gamification also improves richness of the information since various forms of media that can be used, such as hypermedia, multimedia, and hypertext. These media types allows for training material to be presented visually and highlight critical concepts and the relationships between the concepts clearly. Games generally have a short feedback cycle and so users would get their punishments or rewards quickly, reinforcing the concepts.

FINDINGS & DISCUSSION 3. Curriculum Considerations Social Engineering Social engineering techniques are a big threat to security systems because they focus on the human element and do not get prevented by tools and software. Various topics can be covered in the programmes: Identity theft. Passphrases and multi-factor authentication. Public Wi-Fi. Social engineering, including phishing and SMShing. Browsing securely. Device security. Malware. Game theory Risk management Human bias for optimism.

FINDINGS & DISCUSSION 4 Organizational & Demographic Considerations Organizations- To have a successful cybersecurity awareness programs, there are a few key attributes that must be incorporated into the program. Strategic focus, Top management support, training resources, reward systems, ongoing assessment of awareness level. Individuals Consider demographic factors when developing programmes Language, ICT self efficacy, computer experience, gender

CONCLUSION Study focused on the importance of assessing awareness of users, selection of pedagogical approaches, design of the curriculum and supporting organizational and demographic aspects. Factors identified in this SLR may be used to inform the creation of cybersecurity awareness, training, and education programs towards building the skills and competencies of internet users. Limitations: SLR that included 58 papers from selected databases. Future Research: Training and education regarding social engineering.