Article: https://academic.oup.com/cybersecurity/article/8/1/tyac006/6590603?searchresult=1 “Developing metrics to assess the effectiveness of cybersecurity awareness program”

This article describes the metrics utilized in assessing a cybersecurity program in terms of both information availability and action taken due to said data. The journal article utilizes information from many prior articles to synthesize a hypothesis regarding cybersecurity efficiency. This topic relates to the principles of social sciences due to the fact that the majority of cybercrime majorly involves a human component, such as social engineering, seen mainly in phishing attacks. A main principle connected to this journal article is ethics in cybersecurity, as there must be a balance between privacy and safety, which can toe the line between ethical and unethical. The article utilized two distinct research methods: objective data such as having the study’s audience answer quizzes to determine extent of cybersecurity knowledge, and subjective data such as asking the opinions of cybersecurity professionals. This allows for a comparison between how a cybersecurity program is working, and how the professionals who constitute said program believe it to be working. Therefore, the data helps to eliminate the disparity between perceived aptitude and true security. The paper defines effectiveness of a cybersecurity program in several categories. Some of these categories include improvement in cybersecurity behavior from a program (such as the reduction of risky behavior i.e. clicking unknown links), changes in the attitude of cybersecurity professionals, knowledge and competence shown by professionals, interest in the program, and reachability of the program. These categories are measured via a combination of methods: an intrusive, questionnaire based collection of data, a (non intrusive)  simulated attack and response by the professionals, monitoring of system data, surveys and interviews. This wide range of data collection methods makes outliers easier to identify. The authors acknowledge that it is difficult to create clear metrics – that can be agreed upon by a majority of professionals – to meaningfully determine the effectiveness of a cybersecurity program, but also state that the metrics included in this article are inclusive to all involved parties as well as covering all of the most important factors in cybersecurity safety. As such, the article contributes to the society of cybersecurity in that it determines clear factors and categories for evaluating and improving upon cybersecurity policies.