Assessment of Web-based Information Security Awareness Courses
Didier Dubey Suarez Medina
Information security awareness web-based courses are commonly recommended in cyber security strategies to help build a security culture capable of addressing information systems breaches caused by user mistakes whose negligence or ignorance of policies may endanger information systems assets. A research gap exists on the impact of Information Security Awareness Web-Based Courses: these are failing in changing to a significant degree the behavior of participants regarding compliance and diligence, which translates into continuous vulnerabilities. The aim of this work is to contribute with a theoretical and empirical analysis on the potential strengths and weaknesses of Information Security Awareness Web-Based Courses and with two practical tools readily applicable for designers and reviewers of web-based or mediatized courses on information security awareness and education. The research design seeks to respond two research questions. The first on the formulation of a minimum set of criteria that could be applied to Information Security Awareness Web-Based Courses, to support their real impact on employee’s diligence and compliance, resulting in eleven criteria for courses’ assessment and a checklist. The second, about a controlled experiment to explore the actual impact of an existing course, in respect to diligence and compliance using phishing emails as educational tools, that reaffirms the theoretical assumptions arrived to earlier. The development of minimum criteria and their systematic implementation pursue behavioral change, emphasizes the importance of disciplinary integration in cyber security research, and advocates for the development of a solid security culture of diligence and compliance, capable of supporting the protection of organizations from information system threats. The results gathered in this study suggest that achieving positive results in the existing information security tests that follow security awareness courses does not necessarily imply that diligence or information security policies compliance are affected. These preliminary findings accumulate evidence on the importance of implementing the recommendations formulated in this work.
Graduation Thesis language
Graduation Thesis type
Master - Cyber Security
Maria Claudia Solarte Vasquez; Raimundas Matulevičius