My article review will be from the Journal of Cybersecurity titled, “Developing metrics to assess the effectiveness of cybersecurity awareness program”. This article explores an awareness program’s effectiveness on its audience by providing proposed metrics of which to base a programs effectiveness on in order to help companies make the best decision on choosing to invest in a CSA program or not.
In the introduction the article explains that during a cyber security awareness program or CSA for short, leaders must educate to participants in a way that is parsimonious while also giving them a fair level of skepticism and motivation to act in order to prevent an incident. The overall idea is to make participants understand how important cybersecurity is and how to make their impact as well. Participating in a good program should motivate participants to do their part by decreasing the level of how vulnerable they are to threats, acting in a deterministic sort of way meaning the program is something necessary to push them in the right direction of practicing healthy cyber hygiene. The aim of CSA programs should be to help participants look at cyber hygiene objectively rather than with whatever opinion they have on the matter beforehand such as, “The likelihood of me getting hacked is very low, therefore I will keep a plain and simple password to remember and forego the trouble of a slightly more difficult one.”.
The article research question is to answer what metrics are best used in a CSA program. To do this, they reviewed 32 papers in order to answer what factors the papers measured and how they measured those factors. They also adapted the European Literacy Policy Network’s four indicators to help make the evaluation process systematic, complete, and reliable. After measuring the factors across all papers, the most common ones were knowledge, attitude, and behavior. Knowledge being the understanding of policies, procedures, and good practices, attitude being the opinions on cybersecurity, and finally behavior being the actions that are taken by participants after the program. Knowledge can be evaluated by a survey or questionnaire, attitude can be evaluated by personal interaction, and behavior can be evaluated by observing how one acts.
The article makes use of data science in charts showing how many times each type of testing occurred in the papers and how many papers evaluated each of the factors. The ones mentioned in the previous paragraph all were the most mentioned except for observation which only showed 3 times throughout the papers which surprised me because I think it is actually the best type of evaluation to get although they can be tough to automate. They created a clear goal and measurable objectives with their criteria for good metrics which includes that data is consistently measured without subjectivity, cheap and automated to gather, expressed as a cardinal number or percentage, expressed using at least one unit of measure, and contextually specific meaning it is relevant to decision makers so they can act. All these can lead to the CSA programs being fit for all individuals without leaving marginalized groups out of the picture.
In the conclusion of this article, they concluded that there is no one perfect how to or what to measure after implementing a framework for an organization but some type of evaluation needs to happen after CSA implementation. They chalked this up to different organizations having different security needs which is true for all organizations because there are more sensitive information in some than others. This article has made the contributions to society of giving data and information that can lead a CSA program in the right direction for their own program so that they can have the best results of demonstrating awareness to their participants. Another contribution is the overall strengthening of cyber awareness for the public as a chain effect of the organizations that choose to use this study as well.
Source: https://academic.oup.com/cybersecurity/article/8/1/tyac006/6590603?searchresult=1