International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056

Volume: 09 Issue: 04 | April 2022 www.irjet.net p-ISSN: 2395-0072

An Effective Cybersecurity Awareness Training Model: First Defense of

an Organizational Security Strategy

Bibhu Dash1, Meraj F. Ansari2

1 Dept. of Computer and Information Systems, University of the Cumberlands, Williamsburg, KY USA
2 Dept. of Computer and Information Systems, University of the Cumberlands, Williamsburg, KY USA
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - Security Education Training and Awareness both the human factors and technological angles that may
plays a dynamic role for organizations in endorsing lead to penetration or hack. The second aim of this
resources' thoughtfulness and accessibility. This paper research will be to identify the points in a security chain
determines the importance of security awareness training in that can be termed weak points in the chain. The main
dealing with cyber threats. This research uses the problem that this research will face is the rapidly changing
Technology Acceptance Model (TAM), indicating that at-risk dynamics of technology and the development of new and
employees' behavior and information security awareness more secure methods of securing data.
training execution are successful interventions. Yet, those
investigations did not examine Artificial Intelligence (AI) 2. THEORETICAL FRAMEWORK
enabled training, so this study fills that literature gap. This
analysis used a qualitative research design. The article In preparing this research paper, extensive
examines employees' behavior and the effectiveness of AI- analysis and research were done on peer papers and
based security awareness training programs. The study here books showing conduct and dealings in cybersecurity from
helps analyze information security awareness training in organizational security to government and military
the workplace, encouraging behavioral transformations information security [2]. An interest was taken in peer
that would restrain data breaches by incorporating the research papers and articles that show works on
users' exposure and the stringency of coercion and the cybersecurity threats to organizations and the best
retort to peril in prophesying behavior discretions. practices to safeguard the organization from an outside
threat by fortifying the employee knowledge on the topic.
Key Words: Cybersecurity, Risk culture, SETA, NICE, The scholarly articles proved to be especially useful by
TAM, viCyber, AI-enabled exercise, Security providing insight into why information security is
Awareness Training essential. Most of the papers offered an approach that
seemed to be a bottom-up approach by ensuring that each
1.INTRODUCTION employee is educated on the best security practices that
are up to date. If every employee does their particular part
One of the most challenging issues that come with in this security chain, the whole organization will be safe.
advancements in technology is securing systems from A chain is as strong as its weakest link [4].
cyber-attacks [1]. There is a clear need to implement
proper infrastructure security, beginning from the Naïve information security practices among
grassroots and the local government. This has made current and former employees of the organization have
cybersecurity an essential factor in the teaching of been the leading source of cyber threats, vulnerabilities,
information systems with the development of hacktivist and penetrations, with between 72% and 95% of the
groups such as Anonymous, whose sole purpose is to threats coming from these sources, according to Price
cripple the information systems of different governments Waterhouse coopers research findings [5, 6, 23]. Most
[2]. Information system analysts in each organization are attacks are performed by unsupervised use of the internet,
responsible for the cyber education of the employees, where information systems are attacked by malware.
ensuring they are conscious of the risks that exist in Malware is one of the most common tools cybercriminals
cyberspace and making informed decisions that are in the use to conduct attacks and exploit vulnerabilities in an
best interests of the organization's security [3].This paper order. Another significant threat that a system has is the
will mainly focus on the programs that can be risk of human error, known as social engineering, where
implemented to ensure information security and data humans are manipulated to give out valuable system
vulnerability awareness. The main objectives of the information, such as their authentication details. Even the
research will be to ensure that the employees or staff of best-developed systems can be brought down through
the organization understand the threats that exist to the social engineering by utilizing methods such as phishing,
organizational data and how to ensure there is security in vishing, and impersonation [7]. Hence, organization
the organizations' information systems by focusing on

© 2022, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 1
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 09 Issue: 04 | April 2022 www.irjet.net p-ISSN: 2395-0072

employees must acquire updated cybersecurity protection Cybersecurity awareness is vital in the
skills and countermeasure awareness [8]. organization. It specifies the level to which the
organization is ready for any cyber-attack and how well
2.1 TECHNOLOGY ACCEPTANCE MODEL the employees are conversant with the topic [12]. For an
organization to say that they have awareness in their
In this paper, Technology Acceptance Model ranks, the employees and the organization must be
subjected to the threats while being taught the cause and
(TAM) was adopted in this study to measure the
effects of each threat and how to prevent and counter the
variables. In 1989, the author Davis executed the threat [13]. This will create a sense of responsibility
technology adoption model, and it recreated an among the employees and not leave the information
influential role in information management. Davis et security bulk of dealing with threats to the information
al. depict the TAM model as a framework "used to system managers. Security risks in an organization require
represent the determinants of computer acceptance both prevention and countermeasures. The
that is prevailing, and proficient of interpreting user countermeasures include employee awareness, Security
behavior [i.e., use] across a broad array of end-user. Education Training Awareness (SETA) programs, and
In TAM's initial version (see Figure 1), the term computer sanctions and monitoring [14]. Therefore, now
attitude has another meaning influenced by the organization needs to research the cyber threats that
are most likely to face and determine their
technology and use. The TAM specifies "attitude" as
countermeasures by developing a cyber-security risk
the stage in which the end-user has assertive (or policy and computer safety document.
unfavorable) perceptions of the technology or
process. Unless employees protect themselves and the
organization's systems, even the best intrusion detection
and prevention systems will fail. The organization may
have the latest technology in firewalls, intrusion detection,
and intrusion prevention systems, but human factors must
be considered, like awareness and skill training programs
[15]. Many of the programs are the SETA hat that comes in
many forms like coercing and fear tactics by showing the
employees the threats in real-world situations and the
adverse effects they bring [16]. Both online and real-life
Fig -1: Technology Acceptance Model: Initial Version training should be conducted on the employees to ensure
that they get to memorize every critical security measure.
2.2 TAM’S MODIFICATION The delivery method of the SETA programs may be
different in an organization depending on the type of
Employing the original TAM model, investigators employees being dealt with. Still, the essential factor is
executed many analyses. Davis et al. (1989) authenticated that they understand the risk that the organization may
that perceived usefulness and ease of usage undeviatingly face from their actions.
influence a new variable: behavioral intention [9].
Venkatesh and Davis (1996) eradicated the attitude For the SETA program to be effective, it must
variable and replaced it with behavior intention to address the organization's security and risk policy topics.
develop the TAM's final version (see Figure 2) after But some critical foundational issues have to be in place as
further testing [10]. In both TAM's older and new versions, they are familiar to most organizations, such as data
external variables are crucial in demonstrating perceived security, shared risks and vulnerabilities, and password
usefulness and ease of use. External variables usually management [17]. The ISO/IEC 27002 [18] standards for
entail user training, user engagement throughout the IS security policy is a document that contains the
study, and execution [11]. necessary information security topic. Although some of
the issues are not common in all organizations, it works
well as a template for security policies.

3. SETA DESIGN AND ITS EFFECTIVENESS

Though the security awareness program is rising

progressively in many organizations, very little data is
available to measure its direct impact on work
Fig -2: Technology Acceptance Model: Final Version environments [19]. Security awareness training is the first
step toward an organizational security strategy model. To

© 2022, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 2
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 09 Issue: 04 | April 2022 www.irjet.net p-ISSN: 2395-0072

help organizations develop an effective SETA program, the 4.1 NICE FRAMEWORK AND VICYBER MODEL
above discussed theoretical framework should pass these
3-C tests: Constant, Complementary, and Compensatory In an effort to design the best cybersecurity
[20]. Also, SETA programs need to be cost-effective, high curriculum using AI tools, organizations are using the
in availability and benefit it gets with an optimal degree of models developed by the National Institute of Standards
security. Some of these programs are very complex, but at and Technology (NIST), USA. The effective model
the same time, it lacks the primary step, for instance, the developed by NIST is called the National Initiative for
entire lifecycle of the phishing training program. Simple Cybersecurity Education (NICE) framework. It is a full-
rules for a successful training program are clarity and less proof model developed by industry experts and
forceful involvement. So, the SETA training program academicians for cybersecurity education, training, and
members need to be more informative without integrating workforce development [26]. The NICE framework
themselves more into employees’ daily activities. Recently, consists of seven categories, 31 specialty areas, and 369
game-based cybersecurity programs were influential in Knowledge. Skills and Abilities areas (KSAs), 65
students' cyber security awareness training [21]. competencies, and 444 tasks under various specialty areas
[27]. Hodhod et al. [27] described the detailed NICE
Some organizations are overly dependent on these framework as shown in Figure 3, and it has a wide
SETA models, making this the core of their security acceptance in many industries.
culture. According to Proctor [22], the primary concern is
an over-reliance on cybersecurity awareness training
programs, and companies think these are the remedy for
any cyber security breach. The over dependency and high
expectations from the C-Suite executives of the company
are not a welcome move for a healthy security climate. To
get the best out of these programs, individuals react
differently; they need to be designed to primarily facilitate
Confidentiality, Integrity, and Availability (CIA) [23]. Any
organization that follows and implements a SETA program
to promote employee resilience to better cope with
changing life is a successful project.

4. USE OF AI IN CYBERSECURITY TRAINING Fig-3: NICE framework diagram

The NICE framework broadly guides curriculum

AI and Machine Learning (ML) are a blessing to
development, but significant companies face difficulties
modern enterprises to educate and tackle cyber threats. AI
using it due to the lack of domain experts who can utilize it
is used as both offensive and defensive techniques to
to the fullest. The large competencies need to be
tackle cybersecurity. AI has been embedded in all
considered along their relationships to develop a practical
information systems such that scholars have pointed out
framework. To overcome this challenge, Amazon presents
that AI failures in complex systems such as banking may
a cloud-based system: viCyber, an intelligent system
face catastrophic sequences with no options of recovery
capable of rapid cybersecurity curriculum and training
[24]. A question arises here, how should we teach and
development using AI and visual mappings [28]. This
blend the applications of AI in cybersecurity for better
service can be used anytime and anywhere to develop,
usefulness? As per scholars, the two options are: (1)
train, and collaborate easily when keeping the
approach cybersecurity the traditional way and discuss AI
infrastructure safe from threats. The viCyber model design
when relevant (2) approach cybersecurity using AI the
is governed based on the NICE framework with feedback
best it can offer [25]. The first option is helpful for learners
and recommendation engine considering user perspective
who want to understand cybersecurity holistically. The
[27, 29]. This AI-based model has a decision support
second option is available for professionals who desire an
system based on the human-computer interaction to
effective way to defend against all kinds of cyber threats.
describe the building up process, which helps to modify
Considering the importance of cybersecurity education at
the conceptual understanding of the user when going
all levels, many Massive Online Open Courses (MOOCs)
through the training with real-time feedback.
have been developed recently to educate and train
beginners and professionals. But all of these pieces of
training lack practical usefulness to safeguard us from all
forms of cyber threats, which prompts organizations to
develop their training program as desirable.

© 2022, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 3
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 09 Issue: 04 | April 2022 www.irjet.net p-ISSN: 2395-0072

The automatic curricula evaluation in this tool provides

users with confidence to design and redesign modules as
time passes.

5. SUMMARY AND CONCLUSION

The issue of cybersecurity is prime among

individuals and professionals of all domains. The main aim
of this research study was to figure out the best method of
planning and implementing cybersecurity awareness
programs among users and employees in organizations.
To do this, research was conducted to answer the
questions; Who or what is the weakest link in the security
chain? What are the necessary components to develop
positive security habits? What are the employee's
responsibilities for protecting the company's assets? The
results were found, and the weakest link in the security
Fig-4: viCyber architecture with AI-enabled rules engine
chain of any organization was determined to be the least
[27]
aware employee in the organization. This employee’s
behavior can be defined as the measure of the strength of
Note: Adapted from Cybersecurity curriculum development
the information system, as a lack of awareness can bring
using AI and decision support expert system, by Hodhod, R.,
down even the most reliable information systems. The
Wang, S., & Khan, S., 2018, International Journal of
second question in the research was determined to be by
Computer Theory and Engineering, 10(4), 111. Copyright
developing a SETA program that was custom to the
2018 by International Journal of Computer Theory and
organization. The last result was that each employee is
Engineering.
responsible for the organization's security. By using a
4.2 USABILITY AND RELIABILITY OF VICYBER bottom-up approach where each employee is accountable
for their section of the information system by the end of it,
TOOL
the whole system would be secure. The viCyber tool with
the NICE framework is somehow the best workable
This viCyber smart system presents a work in framework in the marketplace to build a robust training
progress to develop cybersecurity curricula rapidly and and feedback system. The use of AI-enabled behavioral
reliably. This project contributes to changing the status of security training is rising in some startups and hi-tech
cybersecurity education by helping instructors develop firms that are gaining more popularity with young
the best cyber security programs. The viCyber uses a two- audiences as it studies an employee’s behavior for a few
dimensional visual mapping technique that maps days or weeks before prompting to take the training. This
competencies with KSAs. The visual mapping connects the paper will motivate future scholars and guide them to
knowledge base with the skills and abilities of the NICE build their SETA model integrating AI, Deep learning, and
framework. The learners will select the specialty areas Natural language processing (NLP) for better outcomes.
according to the skill levels that they should master to
succeed in the cybersecurity market. Each course in
REFERENCES
viCyber is an incremental tree according to the expert
level of course content. The evaluation piece in viCyber
[1] Wei Chen Lin, & Saebeler, D. (2019). Risk-Based V.
framework measures how good the curriculum design is
Compliance-Based Utility Cybersecurity -a False
and what level of audiences should attempt the particular
Dichotomy? Energy Law Journal, 40(2), 243–282.
training [27, 30]. Overall, the feedback with scores
[2] Norris, D. F., Mateczun, L., Joshi, A., & Finin, T. (2018).
explains user expertise levels for further
Cybersecurity at the Grassroots: American Local
recommendations on how to make the design better. The
Governments and the Challenges of Internet
output module in the viCyber tool gathers data from the
Security. Journal of Homeland Security &
curriculum and push to the cloud for future performance
Emergency Management, 15(3), N.PAG
evaluation. Also, the powerful feature of this tool is its
[3] Pawlowski, S. D., & Yoonhyuk Jung. (2015). Social
reusability to accommodate the existing curriculum as per
Representations of Cybersecurity by University
industry needs. Users can match their behavior to fetch
Students and Implications for Instructional
the highest matching curriculum using the nearest
Design. Journal of Information Systems Education,
neighbor classification algorithm to match the course's
26(4), 281–294.
tags and keywords [30]. This system can store the peer-
[4] Lykou, G., Anagnostopoulou, A., & Gritzalis, D. (2019).
review curriculum following the NICE framework using AI.
Smart Airport Cybersecurity: Threat Mitigation

© 2022, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 4
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 09 Issue: 04 | April 2022 www.irjet.net p-ISSN: 2395-0072

and Cyber Resilience Controls †. Sensors International Conference on Information Systems,

(14248220), 19(1), 19. Auckland, Australia.
[5] D'Arcy, J., & Hovav, A. (2007). Deterring internal [17] D’Arcy, J., Hovav, A., & Galletta, D. (2009). User
information systems misuse. Communications of awareness of security countermeasures and its
the ACM, 50(10), 113-117. impact on information systems misuse A
[6] IBM Global Technology Services. (2014). IBM security deterrence approach. Information Systems
services 2014 cybersecurity intelligence index. Research, 20(1), 79-98.
Retrieved from http://www- [18] ISO/IEC. (2013). ISO/IEC 27002. 2013 Information
03.ibm.com/security/services/2014-cyber- technology- Security techniques - Code of practice
securityintelligence-index-infographic/ for information security controls. Retrieved from
[7] Algarni, A., Xu, Y., Chan, T., & Tian, Y.-C. (2014). Social https://www.iso.org/obp/ui/ #iso: std:iso-
engineering in social networking sites: How good iec:27002: ed-2:v1:en
becomes evil. Proceedings of the Pacific Asia [19] Ghazvini, A., & Shukur, Z. (2016). Awareness Training
Conference on Information Systems, 1-10 Transfer and Information Security Content
[8] Goode, J., Levy, Y., Hovav, A., & Smith, J. (2018). Expert Development for Healthcare Industry. (IJACSA)
assessment of organizational cybersecurity International Journal of Advanced Computer
programs and the development of vignettes to Science and Applications, 7(5), 361-370.
measure cybersecurity countermeasures [20] PricewaterhouseCoopers. (2016). The global state of
awareness. Online Journal of Applied Knowledge information security survey 2016. Retrieved from
Management, 6(1), 67–80. http://www.pwc.com/gx/en/issues/cyber-
[9] Davis, F. D. (1989). Perceived usefulness, perceived security/information-securitysurvey.html
ease of use and user acceptance of [21] Jin, G., Tu, M., Kim, T-H., Heffron, J., & White, J. (2018).
information technology. MIS Quarterly, 13(3), 319–340. Evaluation of Game-Based Learning in
[10] Venkatesh, V., & Davis, F. D. (1996). A model of the Cybersecurity Education for High School Students.
antecedents of perceived ease of use: Journal of Education and Learning (EduLearn),
Development and test. Decision sciences, 27(3), 12(1), 150-158.
451-481. [22] Proctor, W.R. (2016). Investigating the Efficacy of
[11] Ansari, M. F. (2021). The Relationship between Cybersecurity Awareness Training Programs
Employees' Risk Scores and the Effectiveness of (Unpublished master’s thesis). Utica College, New
the AI-Based Security Awareness Training York.
Program (Doctoral dissertation, University of the [23] Landress, A.D., Parrish, J., & Terrell, S. (2017).
Cumberlands). Resiliency as an Outcome of SETA Programs. In
[12] Ansari, Meraj Farheen (2022) "A Quantitative Study Twenty-third Americas Conference on
of Risk Scores and the Effectiveness of AI-Based Information Systems. Boston, MA.
Cybersecurity Awareness Training Programs," [24] R. V. Yampolskiy and M. Spellchecker, “Artificial
International Journal of Smart Sensor and Adhoc intelligence safety and cybersecurity: A timeline
Network: Vol. 3: Iss. 3, Article 1 of ai failures,” arXiv preprint arXiv:1610.07997,
[13] Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H.-J. 2016.
(2009). The impact of information richness on [25] S. Laato, A. Farooq, H. Tenhunen, T. Pitkamaki, A.
information security awareness training Hakkala and A. Airola, "AI in Cybersecurity
effectiveness. Computers & Education, 52(1), 92- Education- A Systematic Literature Review of
100. Studies on Cybersecurity MOOCs," 2020 IEEE 20th
[14] Choi, M. S., Levy, Y., & Hovav, A. (2013). The role of International Conference on Advanced Learning
user computer self-efficacy, cybersecurity Technologies (ICALT), 2020, pp. 6-10, doi:
countermeasures awareness, and cybersecurity 10.1109/ICALT49669.2020.00009.
skills influence on computer misuse. Proceedings [26] NIST. (April 8, 2017). [Online]. Available:
of the Pre-International Conference of https://www.nist.gov/
Information Systems on Information Security & [27] Hodhod, R., Wang, S., & Khan, S. (2018). Cybersecurity
Privacy, 1-19. curriculum development using AI and decision
[15] Carlton, M., & Levy, Y. (2015). Expert assessment of support expert system. International Journal of
the top platform-independent cybersecurity skills Computer Theory and Engineering, 10(4), 111.
of non-IT professionals. Proceedings of the IEEE [28] P. Wang and W. Kelly, “A novel threat analysis and
Southeast Conference, 1-6. risk mitigation approach to prevent cyber
doi:10.1109/SECON.2015.7132932. intrusions,” Colloquium for Information System
[16] Kranz, J., & Haeussinger, F. (2014). Why deterrence is Security Education (CISSE), vol. 3, pp. 157-174,
not enough: The role of endogenous motivations 2015.
on employees’ information security behavior.

© 2022, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 5
 International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 09 Issue: 04 | April 2022 www.irjet.net p-ISSN: 2395-0072

[29] A. H. M. Ragab, K. A. Fakeeh, and M. I. Roushdy, “A

medical multimedia expert system for heart
diseases diagnosis & training,” in Proc. the 2nd
Saudi Science Conf., 2004, pp. 31-45.
[30] D. Benyon and D. Murray, “Applying user modeling to
human-computer interaction design,” Artificial
Intelligence Review, vol. 7, no. 3, pp. 199-225,
1993.

BIOGRAPHIES

Description: Mr. Bibhu Dash is a

Ph.D scholar (IT) at University of the
Cumberlands, KY USA. Bibhu has 17
years of experience in IT with
different insurance and financial
domains. Bibhu’s interest areas are
Big Data, AI, ML, Deep Learning, NLP
and IoT.

Description: Dr. Meraj Farheen

Ansari completed her Ph.D. (IT) from
the Graduate School of Information
Technology, University of the
Cumberlands. She also completed her
MBA with a Specialization in
Management Information Systems
from Concordia University,
Milwaukee, WI, USA. Her research
interests include awareness of
cybersecurity, eliminating Cyber
Threats, & ML. Her current research
involves how to aware organizational
employees of cyber security threats
using AI awareness programs.
Currently, she is working as a
Security Analyst in Northern Trust
Bank, Chicago, IL, USA.

© 2022, IRJET | Impact Factor value: 7.529 | ISO 9001:2008 Certified Journal | Page 6