Abstract

Zinnar Ahmed Ghasem A framework for tailored organisational cyber security training AbstractSociety is increasingly becoming dependent on cyberspace; in such it is becoming an integral part of every-day life of most people in both work and home context. This dependency spans across individuals, businesses, and organisations including governments who are relying on cyberspace for various services, ranging from email to social networking, and from cloud computing to ecommerce and financial automated process and transactions. These services are vulnerable and face sophisticated cyber threats, risks and attacks, and potentially can result in financial losses and compromise the confidentiality, integrity, and availability of assets. Mitigating the impacts, the technological countermeasures have been found to be ineffective on it is own and they need to be coupled and supported by human-factors of security. As cyber threats evolve in complexity and frequency, the need for more effective methods to enhance end-users' security compliance becomes increasingly apparent. This study proposes a security model aiming to improve users/employees’ security compliance and practices, as well as enabling organisations to have an insight into their employee’s security practice in real time and predict any potential security risks from individual user’s behaviour. From an analysis of the prior art, it is evident current approaches were ineffective in improving security awareness, as they did not consider individual user’s security needs and job responsibilities. Following this, a user-based study was undertaken to understand users’ security practice and behaviours. The survey thought to have a deeper understanding of the ways users comply, practices, perceive, or any constraint that may hinder their security practices and whether what users claim to know or do, reflect their actual security practices. Such data is used to inform tailoring training. Following this, the study delved into understanding user security compliance and proposes a model for transforming user’s current security behaviour to a compliance and desired security behaviour that meet user’s role and responsibilities. The insights and understanding gained, together with input from stakeholders fed into the design phase which led to proposed system architecture for tailoring training and intervention according to individual user’s needs and job responsibilities. The proposed framework monitors individual user’s security practices, intelligently provide users with personalised help and guidance, and alert them with warning when they do not comply with security, that is when their non-compliance behaviour moves to the threshold. Moreover, the framework keeps managers informed in real time about user’s unwanted behaviours. Additionally, the framework provides managers with a dashboard where they can visualise users’ security behaviour and predict any potentials security risks. Following this, the study developed a model for developing a curriculum-based framework approach. Ensures the training aligned with the organisation’s security practices and goals, as well as, ensuring the learning is tailored based on micro-learning, and meets individual user/employee’s needs and job responsibilities. Finally, experts’ interview was undertaken to evaluate the effectiveness, feasibility and real application of the proposed framework. The experts praised the proposed framework and highlighted its strengths, such as real-time capturing and monitoring users’ behaviours, tailoring training according to individual user’s needs and job responsibilities, innovative use of intelligently allocating and tailored interventions, the concept of model to tailor learning based on user’s role and application of visualising user’s security behaviour over time. However, the experts also recommended areas for improvement, particularly in addressing privacy concerns by using consent form, considering culture difference regarding sanctions, and providing guidelines regarding how to manage and handle manager’s feedback.

Awarding Institution(s)

University of Plymouth

Supervisor

Nathan Clarke, Steven Furnell, Bogdan Ghita

Keywords

Cyber Security, Information security, Computer Security, Network security, Computer Science, Cyber Awareness, Internet Security, Cyber security training

Document Type

Thesis

Publication Date

2025

Deposit Date

November 2025

Download

Share

COinS