Cyber Security Competency Model Based on Learning Theories and Learning Continuum Hierarchy

There is an urgent need for transformative changes in cyber security awareness and training programs to produce individuals and the workforce that can deal with business risks emanating from the prevailing and emerging cyber-attacks. This chapter proposes a cyber security competency model that integrates learning theories (cognitive, affective, and psychomotor), learning continuum hierarchy (awareness and training), and cyber security domain knowledge. Employing literature search of scholarly and practitioner works, together with cyber security standards from governmental and non-governmental organizations, the chapter integrates cyber security domain knowledge, learning theories, and learning continuum hierarchy to design a model of cyber security competencies suitable for use in educating individuals and the general workforce. This theoretical-based approach to designing cyber security awareness and training programs will produce skillful individuals and workforce that can mitigate cyber-attacks in the global business environment.

Security Awareness in the Internet of Everything

Our societal infrastructure is transforming into a connected cyber-physical system of systems, providing numerous opportunities and new capabilities, yet also posing new and reinforced risks that require explicit consideration. This chapter addresses risks specifically related to cyber-security. One contributing factor, often neglected, is the level of security education of the users. Another factor, often overlooked, concerns security-awareness of the engineers developing cyber-physical systems. Authors present results of interviews with developers and surveys showing that increase in security-awareness and understanding of security risks, evaluated as low, are the first steps to mitigate the risks. Authors also conducted practical evaluation investigating system connectivity and vulnerabilities in complex multi-step attack scenarios. This chapter advocates that security awareness of users and developers is the foundation to deployment of interconnected system of systems, and provides recommendations for steps forward highlighting the roles of people, organizations and authorities.

Cyber Security Competency Model Based on Learning Theories and Learning Continuum Hierarchy

There is an urgent need for transformative changes in cyber security awareness and training programs to produce individuals and the workforce that can deal with business risks emanating from the prevailing and emerging cyber-attacks. This chapter proposes a cyber security competency model that integrates learning theories (cognitive, affective, and psychomotor), learning continuum hierarchy (awareness and training), and cyber security domain knowledge. Employing literature search of scholarly and practitioner works, together with cyber security standards from governmental and non-governmental organizations, the chapter integrates cyber security domain knowledge, learning theories, and learning continuum hierarchy to design a model of cyber security competencies suitable for use in educating individuals and the general workforce. This theoretical-based approach to designing cyber security awareness and training programs will produce skillful individuals and workforce that can mitigate cyber-attacks in the global business environment.

AWARENESS OF ICT SECURITY POLICY TO ENSURE DATA PROTECTION IN FORESTRY DEPARTMENT PENINSULAR MALAYSIA

The Forestry Department Peninsular Malaysia's (FDPM) ICT Security Policy was developed and implemented in 2012 and reviewed in 2015. This policy aims to take the lead in managing data, hardware, software, network, and ICT security under legal regulations. Amongst the department's responsibilities are to implement data confidentiality, integrity, and availability policies to ensure the continuity of activities and services while mitigating the impact of security incidents. Accidentally, on September 16, 2016, a fire broke out in the FDPM building, causing property damage and document destruction with an estimated loss of RM30 million. Currently, in Malaysia, cybercrime and government data intrusion has become increasingly difficult to combat. Raising public awareness, particularly among officers who serve as service providers and department employees, is therefore critical to address those issues. Therefore, the objectives of this research are to determine the level of awareness of FDPM employees regarding FDPM ICT Security Policy as well as to investigate the factors that influence information security awareness. Inputs from this study were derived from both primary and secondary sources to meet the objectives. Primary data was gathered through surveys where 130 questionnaires were distributed to FDPM headquarters employees at the management, professional, and support team levels. Meanwhile, secondary data was gathered from FDPM annual and management reports, statistical data, journals, reference documents, and the Internet. The findings were analyzed statistically using SPSS. The level of awareness has been determined and an appropriate criterion to improve the level of information security awareness among FDPM employees was recommended which may help for a better understanding of department culture and increase a higher level of security awareness among FDPM employees.

Information Technology (IT) Users in Tertiary Education Institutions in Bulawayo, Zimbabwe: Case of Security Awareness

Information Technology (IT) expansion exposes organisations in developing countries to IT security risks. Zimbabwe’s tertiary education institutions (TEIs) are not spared. Every year, cyber-attacks increase and become more sophisticated, resulting in losses of personal and financial data for individuals, organisations and governments. As the world is interconnected, small and big organisations share the same internet platform. Therefore, IT security risks that affect one, affect all. When IT users are unaware of the risks and uninformed of ways to protect their IT systems, they remain vulnerable. Like other organisations in Zimbabwe, TEIs are vulnerable to cyber-attacks. The study that directed this article employed a quantitative methodological approach in the collection of the data and its analysis. A sample of 261 respondents was selected from the population of IT users in TEIs in Bulawayo. The results indicated that IT security awareness of IT users in TEIs in Bulawayo is low. This is evidenced by the low IT drivers’ contribution towards building IT users’ security awareness, and inadequate implementation and utilisation of IT security awareness tools. The prevailing phenomenon exposes TEIs in Bulawayo to a high risk of cyber-attacks. The results indicated a positive and significant correlation between IT security drivers’ contribution and IT security awareness tools utilisation in TEIs in Bulawayo. The implication is that an increase in IT security drivers’ contribution and IT security awareness tools utilisation will lead to increased IT security awareness. The study recommends that IT drivers double their contribution towards building IT security awareness through adequate implementation and utilisation of IT security awareness tools. This will safeguard the information that tertiary education institutions generate.

Anti-Phishing Awareness Delivery Methods

Phishing attacks are increasingly exploited by cybercriminals, they become more sophisticated and evade detection even by advanced technical countermeasures. With cybercriminals resorting to more sophisticated phishing techniques, strategies, and different channels such as social networks, phishing is becoming a hard problem to solve. Therefore, the main objective for any anti-phishing solution is to minimize phishing success and its consequences through complementary means to advanced technical countermeasures. Specifically, phishing threats cannot be controlled by technical controls alone, thus it is imperative to complement cybersecurity programs with cybersecurity awareness programs to successfully fight against phishing attacks. This paper provides a review of the delivery methods of cybersecurity training programs used to enhance personnel security awareness and behavior in terms of phishing threats. Although there are a wide variety of educational intervention methods against phishing, the differences between the cybersecurity awareness delivery methods are not always clear. To this end, we present a review of the most common methods of workforce cybersecurity training methods in order for them to be able to protect themselves from phishing threats.