Article Review #2 Social Sciences Contribution to the Development of Metrics for Cybersecurity Awareness

The article aims to address the lack of metrics for assessing a company’s maturity in cybersecurity awareness (CSA). (Zhang, Zhang, & Chang, 2023) To determine effective metrics, the researchers conducted a literature review of 32 studies, drawing on social science concepts like victim precipitation, human factors, and social influence. These frameworks helped them analyze causes of cyber victimization and identify gaps in how companies promote cybersecurity awareness among employees.

Research Method and Findings

The researchers reviewed 32 scholarly studies to identify key metrics for measuring CSA program success. This archival approach allowed them to assess the effectiveness of various CSA programs and establish the main areas of focus for future evaluations. The three most influential metrics identified were employee behavior, attitude, and knowledge, which the researchers selected as dependent variables for assessing CSA effectiveness. The three primary methods for evaluating CSA were also defined as surveys, tests, and statistical analysis of passive data. (Zhang, Zhang, & Chang, 2023)

Victim Precipitation

The concept of victim precipitation, which examines how a victim’s actions may contribute to their vulnerability, was a key social science perspective used in the study. Through this lens, the researchers identified common traits in cyber victims, particularly highlighting that individuals with limited cybersecurity knowledge are more likely to fall victim to cyberattacks. This underscores the importance of regularly assessing employees’ cybersecurity awareness as a proactive measure against potential attacks.

Human Factors

A significant focus of the article is on human factors, particularly the role of human error in cybersecurity vulnerabilities. The primary purpose of CSA programs is to mitigate these human factors by fostering consistent cybersecurity practices among employees. By emphasizing cybersecurity knowledge and maintaining a high standard of cyber hygiene throughout the company, the risk of security breaches due to human error can be minimized.

Social Influence

The study also emphasizes the importance of attitude in cybersecurity awareness. Social influence refers to how individuals adopt behaviors or beliefs based on those around them, which is crucial for sustaining a strong CSA program. (Carey, Hamilton, & Armitage, 2014)If most employees maintain good cyber hygiene and take cybersecurity seriously, a supportive environment is created for others, especially new or skeptical employees—to adopt similar habits. Continuous discussion and visibility around cybersecurity can enhance this positive social influence.

Conclusion

The article effectively narrows down essential metrics for CSA training. By focusing on employee behavior, attitude, and knowledge, companies can more effectively assess the impact of CSA programs. The study also highlights that surveys, tests, and passive data analysis are the most effective tools for evaluating these metrics. The use of victim precipitation, human factors, and social influence frameworks provides valuable insights into the factors influencing CSA effectiveness, underscoring the need for a structured approach to cybersecurity training and awareness.

Citations:

Zhang, K., Zhang, J., & Chang, V. (2023). Cybersecurity awareness metrics for organizations: Toward effective measurement of employee cyber hygiene. Journal of Cybersecurity, 8(1), Article tyac006. https://doi.org/10.1093/cybsec/tyac006

Carey, R. N., Hamilton, K., & Armitage, C. J. (2014). Evidence-based strategies to promote physical activity: A review and behavioral analysis of interventions from the United Kingdom. Frontiers in Public Health, 2, 1-12. https://doi.org/10.3389/fpubh.2014.00201