Search results

This paper aims to highlight the potential of using capture the flag (CTF) challenges, as part of an engaging cybersecurity learning experience for enhancing skills and knowledge acquirement of undergraduate students in academic programs.

The approach involves integrating interactivity, gamification, self-directed and collaborative learning attributes using a CTF hosting platform for cybersecurity education. The proposed methodology includes the deployment of a pre-engagement survey for selecting the appropriate CTF challenges in accordance with the skills and preferences of the participants. During the learning phase, storytelling elements were presented, while a behavior rubric was constructed to observe the participants’ behavior and responses during a five-week lab. Finally, a survey was created for getting feedback from the students and for extracting quantitative results based on the attention, relevance, confidence and satisfaction (ARCS) model of motivational design.

Students felt more confident about their skills and were highly engaged to the learning process. The outcomes in terms of technical skills and knowledge acquisition were shown to be positive.

As the number of participants was small, the results and information retrieved from applying the ARCS model only have an indicative value; however, specific challenges to overcome are highlighted which are important for the future deployments.

Educators could use the proposed approach for deploying an engaging cybersecurity learning experience in an academic program, emphasizing on providing hands-on practice labs and featuring topics from real-world cybersecurity cases. Using the proposed approach, an educator could also monitor the progress of the participants and get qualitative and quantitative statistics regarding the learning impact for each exercise.

Educators could demonstrate modern cybersecurity topics in the classroom, closing further the gap between theory and practice. As a result, students from academia will benefit from the proposed approach by acquiring technical skills, knowledge and experience through hands-on practice in real-world cases.

This paper intends to bridge the existing gap between theory and practice in the topics of cybersecurity by using CTF challenges for learning purposes and not only for testing the participants’ skills. This paper offers important knowledge for enhancing cybersecurity education programs and for educators to use CTF challenges for conducting cybersecurity exercises in academia, extracting meaningful statistics regarding the learning impact.

The purpose of this paper is to present a comparison of two ways of developing and delivering massive open online courses (MOOCs). One was developed by The Open University in collaboration with FutureLearn; the other was developed independently by a small team at the Northampton University.

The different approaches had very different profiles of pedagogic flexibility, cost, development processes, institutional support and participant numbers.

MOOCs on existing large platforms can reach thousands of people, but constrain pedagogical choice. Self-made MOOCs have smaller audiences but can target them more effectively.

This comparison shows that, several years after MOOCs became prominent, there are many viable approaches for MOOCs.

Cybersecurity training plays a decisive role in overcoming the global shortage of cybersecurity experts and the risks this shortage poses to organizations' assets. Seeking to make the training of those experts as efficacious and efficient as possible, this study investigates the potential of visual programming languages (VPLs) for training in cyber ranges. For this matter, the VPL Blockly was integrated into an existing cyber range training to facilitate learning a code-based cybersecurity task, namely, creating code-based correlation rules for a security information and event management (SIEM) system.

To evaluate the VPL’s effect on the cyber range training, the authors conducted a user study as a randomized controlled trial with 30 participants. In this study, the authors compared skill development of participants creating SIEM rules using Blockly (experimental group) with participants using a textual programming approach (control group) to create the rules.

This study indicates that using a VPL in a cybersecurity training can improve the participants' perceived learning experience compared to the control group while providing equally good learning outcomes.

The originality of this work lies in studying the effect of using a VPL to learn a code-based cybersecurity task. Investigating this effect in comparison with the conventional textual syntax through a randomized controlled trial has not been investigated yet.

To protect information and communication technology (ICT) infrastructure and resources against poor cyber hygiene behaviours, organisations commonly require internal users to confirm they will abide by an ICT Code of Conduct. Before commencing enrolment, university students sign ICT policies, however, individuals can ignore or act contrary to these policies. This study aims to evaluate whether students can apply ICT Codes of Conduct and explores viable approaches for ensuring that students understand how to act ethically and in accordance with such codes.

The authors designed a between-subjects experiment involving 260 students’ responses to five scenario-pairs that involve breach/non-breach of a university’s ICT policy following a priming intervention to heighten awareness of ICT policy or relevant ethical principles, with a control group receiving no priming.

This study found a significant difference in students’ responses to the breach versus non-breach cases, indicating their ability to apply the ICT Code of Conduct. Qualitative comments revealed the priming materials influenced their reasoning.

The authors’ priming interventions were inadequate for improving breach recognition compared to the control group. More nuanced and targeted priming interventions are suggested for future studies.

Appropriate application of ICT Code of Conduct can be measured by collecting student/employee responses to breach/non-breach scenario pairs based on the Code and embedded with ethical principles.

Shared awareness and protection of ICT resources.

Compliance with ICT Codes of Conduct by students is under-investigated. This study shows that code-based scenarios can measure understanding and suggest that targeted priming might offer a non-resource intensive training approach.

An organization’s ability to successfully manage intellectual capital is determined by the actions of its employees to prevent or minimize information security incidents. To prevent more data breaches to intellectual capital, organizations must provide regular cybersecurity awareness training for all personnel. The purpose of this paper is to investigate the effect of different evidence-based cybersecurity training methods on employees’ cybersecurity risk perception and self-reported behavior.

The study participants were randomly assigned into four groups (i.e. malware report, malware videos, both malware report and malware videos and no interventions) to assess the effects of cybersecurity training on their perceptions of vulnerability, severity, self-efficacy, security intention as well as their self-reported cybersecurity behaviors.

The results show that evidence-based malware report is a relatively better training method in affecting employees’ intentions of engaging in recommended cybersecurity behaviors comparing with the other training methods used in this study. A closer analysis suggests whether the training method contains self-relevant information could make a difference to the training effects.

This paper reports an in-depth investigation on how different evidence-based cybersecurity training methods impact employees’ perceptions of susceptibility, severity, self-efficacy, security intention as well as on their self-reported cybersecurity behaviors.

The frequency and sophistication of cybercrimes are increasing. These cybercrimes are impacting government and private organizations as well as individuals. One of the countermeasures is to improve the cyber hygiene of the end-users. Serious games or game-based learning has emerged as a promising approach for implementing security education, training and awareness program. In this paper, the researchers propose a tabletop card game called Cyber Suraksha to increase threat awareness and motivate users to adopt recommended security controls for smartphone users. Cyber Suraksha provides an active learning environment for the players. This paper aims to provide the details of the design and evaluation of the game using a between-subjects design.

The researchers have used constructive learning theory and the Fogg behaviour model (FBM) to design a tabletop card game called Cyber Suraksha. The researchers evaluated the game using a between-subjects design. The participants' responses in the control and intervention groups were collected using the risk behaviour diagnosis scale. Pearson’s Chi-Square test with a 5% significance level was used to test the hypotheses.

The results indicate that the game is enjoyable and fun. Cyber Suraksha game effectively motivates users to adopt the recommended security control for the targeted behaviour. The results indicate that the participants in the intervention group are 2.65 times more likely to adopt recommended behaviour. The findings of this study provide evidence for the effectiveness of hope and fear appeals in improving cybersecurity awareness.

The generalizability of the study is limited because the sample size is small compared to the total number of smartphone users in India, and only students from computer/IT UG programs in India are used as participants in this study.

This study uses hope and a fear appeal to design an effective serious game. It also demonstrates using the FBM and constructive learning principles for effective serious game design. Cyber Suraksha is effective for the student group and may be tested with other age groups.

To the researchers' knowledge, there are no serious games for cybersecurity awareness focusing on the threats faced by smartphone users based on FBM and constructive learning theory. This research used hope along with a fear appeal to motivate smartphone users to adopt recommended security controls.

The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company.

Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in.

Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved.

This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.

Cyberattacks are becoming increasingly widespread, and cybersecurity is therefore increasingly important. Although the technological aspects of cybersecurity are its best-known characteristics, the cybersecurity phenomenon goes beyond the detection of technological impacts, and encompasses all the dimensions of an organization. This study thus focusses on an additional set of organizational elements. The key elements of cybersecurity organizational readiness depicted here are cybersecurity awareness, cybersecurity culture and cybersecurity organizational resilience (OR). This study aims to qualitatively assess small and medium enterprises’ (SMEs) overall level of organizational cybersecurity readiness.

This study focused on conducting a cybersecurity organizational readiness assessment using a sample of 53 Italian SMEs from the information and communication technology sector. Informed mixed method research, this study was conducted consistent with the principles of the explanatory sequential mixed method design, and adopting a quanti-qualitative methodology. The quantitative data were collected through a questionnaire. Qualitative data were subsequently collected through semi-structured interviews.

Although many elements of the technical aspects of cybersecurity OR have yielded very encouraging results, there are still some areas that require improvement. These include those facets that constitute the foundation of cybersecurity awareness, and, thus, a cybersecurity culture. This result highlights that the areas in need of improvement are exactly those that are most important in fighting against cyber threats via organizational cybersecurity readiness.

Although the importance of SMEs is obvious, evidence of such organizations’ attitudes to cybersecurity are still limited. This research is an attempt to depict the organizational issue related to cybersecurity, i.e. overall cybersecurity organizational readiness.

The purpose of this paper can be encapsulated in the following points: identify the research papers published on the topic: competencies and skills necessary for critical infrastructure (CI) cyber-security (CS) protection; determine main focus areas within the identified literature and evaluate the dependency or lack thereof between them: make recommendations for future research.

This study is based on a systematic literature review conducted to identify scientific papers discussing and evaluating competencies, skills and essential attributes needed by the CI workforce for CS and preparedness to attacks and incidents.

After a comparative analysis of the articles reviewed in this study, a variety of skills and competencies was found to be necessary for CS assurance in CIs. These skills have been grouped into four categories, namely, technical, managerial, implementation and soft skills. Nonetheless, there is still a lack of agreement on which skills are the most critical and further research should be conducted on the relation between specific soft skills and CS assurance.

Investigation of which skills are required by industry for specific CS roles, by conducting interviews and sending questionnaire\surveys, would allow consolidating whether literature and industry requirements are equivalent.

Findings from this literature review suggest that more effort should be taken to conciliate current CS curricula in academia with the skills and competencies required for CS roles in the industry.

This study provides a previously lacking current mapping and review of literature discussing skills and competencies evidenced as critical for CS assurance for CI. The findings of this research are useful for the development of comprehensive solutions for CS awareness and training.

The purpose of this study is to investigate whether having accessible cybersecurity programs (CPs) for high-school students affected girls’ long-term engagement with the industry, given that they already had interests in technology. Although much research has been done to evaluate how high-school science, technology, engineering, and mathematics programs retain girls in computing fields, it is necessary to see if this same long-term engagement exists in cybersecurity-specific programs.

In total, 55 members were surveyed from the aspirations in computing community regarding their experience in and accessibility to high-school CPs. A quantitative analysis of such responses was then undertaken using inferential statistical tools and chi-squared tests for independence.

The results showed that the existence of CPs alone are not influential factors in increasing long-term engagement with the field, showcasing that the high-knowledge barrier of CPs affects many students (even those with prior interests in technology). Instead, by having multiple occurrences of these programs and providing more cybersecurity resources to areas that lacked them, girls were more likely to report an increased interest in the field.

Such information can support future program leaders to develop effective, accessible and more targeted cybersecurity initiatives for students of various communities.

By analyzing the unique interactions of tech-aspiring women with cybersecurity, this exploration was able to demonstrate that women of different computing experiences face a shared barrier when entering the cybersecurity field. Likewise, in comparing these perspectives across different age groups, the investigation highlighted the development and subsequent growth of cybersecurity programming over the years and why such initiatives should be supported into the future.