Adapting Cyber-Security Training to Your Employees

The aim of this paper is twofold. First, it introduces the concept of a framework of controls that relates to the human aspects of cyber security, which is adaptable to different types of organisations and different types of employees. A review of the literature confirmed that Adaptive Control Frameworks (ACFs) for cyber security exist, but only in terms of hardware and software controls. The second aim of this paper is to empirically test the effectiveness of one of these adaptive controls, namely, the type of training provided. A total of 1048 working Australian adults completed the Human Aspects of Information Security Questionnaire (HAIS-Q). This included questions relating to the types of cyber-security training they had received and how often it was provided, and a set of questions called the Cyber-security Learning Styles Inventory to identify their preferred learning styles for training. The frequency of training did not directly predict Information Security Awareness (ISA) levels. However, the extent to which the training received was matched with an individual's learning preferences was positively associated with ISA levels. This finding supports the hypothesis that if training interventions are adapted to the learning styles of individuals, their level of ISA will improve and therefore their non-malicious behaviour, whilst using a digital device to do their work, will be safer. The practical implications of this finding, as well as suggestions for further research on the ACF, are also discussed.