This article relates to the human-centered cyber security model because it evaluates the effectiveness of methods used to mitigate the human factor in cyber security awareness (CSA) programs. Measuring the results by reviewing surveys, trainings, and behaviors before and after the training. The paper acknowledges there isn’t a single common understanding of what factors to measure or how to measure them during the evaluation of the cyber security awareness program. Without a standardized method of measuring the effectiveness of cybersecurity awareness programs, it makes it difficult to properly improve existing programs as we cannot accurately calculate areas where the program falls short.  

This article bases its assessment on the European Literacy Policy Network (ELINET) four indicators for awareness evaluation; the indicators are impact, sustainability, accessibility, and monitoring. It is accepted that the four indicators are typically used outside of cybersecurity but were adjusted for cybersecurity awareness purposes. A systematic literature review of 32 papers was conducted to determine and analyze the “factors to be measured” and their “measuring methods” frequently used to assess the performance of a cybersecurity awareness program. The data collected was based on 9 measured factors that included behavior, attitude, knowledge and competence, interest, reachability, touchability, value-added, usability, and overall feedback. These factors were then evaluated based on the measurement factors or how they are conducted by an organization. This article identified measurement factors such as the intrusive and non-intrusive method, interest by audience, interest by organizer, interest by management, accessibility of awareness materials, self-motivated actions, financial and non-financial benefits, feedback strategies, and relevant topics covered against a cybersecurity awareness program.  

This article relates back to the human-centered cybersecurity model which places humans central to cybersecurity policies, procedures, and frameworks in place. This article aligns with that human-centered model because it focuses on how to measure the success of a cybersecurity awareness program and how to apply changes for improved outcomes and consistency. It discusses the concerns of how cybersecurity awareness programs are not currently diverse enough to work across an entire organization. It cannot be determined if the measured behavior is genuine based on learned knowledge provided by the CSA program or based on repeated actions and guesstimations.  

This article acknowledges that individual interest from senior management, organization, or impacted audience will change how the success of a cybersecurity awareness program is measured. Focusing on financial interest and budgets or compliance standards while disregarding important factors that would lead to program improvements. This article highlighted the inconsistencies in measuring the success of cybersecurity awareness programs. Acknowledging common factors that are measured, how they are presented to an audience, and discovering gaps in measurements. Later, this article proposes standardized metrics for assessing a cybersecurity awareness program. These metrics modified the four ELINET indicators, impact, sustainability, accessibility, and monitoring to apply appropriately to cybersecurity.  Aiming to provide a consistent measure of cybersecurity awareness program to allow for accurate and timely process improvement.  

Chaudhary, S., Gkioulos, V., & Katsikas, S. (2022, May 23). Developing metrics to assess the effectiveness of Cybersecurity Awareness Program | Journal of Cybersecurity | Oxford academic. Journalof Cybersecurity. https://academic.oup.com/cybersecurity/article/8/1/tyac006/6590603