Assessing the effect of cybersecurity training on End-users: A Meta-analysis

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2025-03-01 Epub Date: 2024-11-30 DOI:10.1016/j.cose.2024.104206

Julia Prümmer, Tommy van Steen, Bibi van den Berg

{"title":"Assessing the effect of cybersecurity training on End-users: A Meta-analysis","authors":"Julia Prümmer, Tommy van Steen, Bibi van den Berg","doi":"10.1016/j.cose.2024.104206","DOIUrl":null,"url":null,"abstract":"<div><div>Cybersecurity behaviour of end-users continues to be a growing topic of conversation, both in organisations and in academia, as end-users are often said to be the last line of defence against cyberattacks. Unfortunately, end-users are often not aware that they engage in risky cyber behaviours and can, in turn, make themselves and the organisations that they work for vulnerable. Attempting to change end-user behaviour through training programs has become common practice in many organisations, a trend that is reflected in the academic literature as well. While a variety of literature reviews on the topic are available, an assessment of the effectiveness of these training programs through a meta-analysis has so far not been conducted. We carried out a meta-analysis based on a systematic literature review on the topic and an updated literature search in order to assess the overall effectiveness of cybersecurity training programs. We identified 69 studies that were eligible for inclusion.</div><div>Our analysis shows that training overall has a positive effect on end-users (<em>d</em> = 0.75, 95%CI [0.58, 0.92]), particularly when assessing predictors of behaviour such as attitudes or knowledge (<em>d</em> = 1.02, 95%CI [0.58, 1.46]). Interestingly, studies assessing changes in behaviour are not able to match these results (<em>d</em> = 0.36, 95%CI [-0.09, 0.80]), showcasing a clear inability of current training approaches to change behaviour. The effect sizes obtained in this meta-analysis can act as smallest effect sizes of interest (SESOIs) for future research on end-user cybersecurity training. Further findings with regards to the effectiveness of individual training methods and other moderators are discussed.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104206"},"PeriodicalIF":5.4000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482400511X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2024/11/30 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cybersecurity behaviour of end-users continues to be a growing topic of conversation, both in organisations and in academia, as end-users are often said to be the last line of defence against cyberattacks. Unfortunately, end-users are often not aware that they engage in risky cyber behaviours and can, in turn, make themselves and the organisations that they work for vulnerable. Attempting to change end-user behaviour through training programs has become common practice in many organisations, a trend that is reflected in the academic literature as well. While a variety of literature reviews on the topic are available, an assessment of the effectiveness of these training programs through a meta-analysis has so far not been conducted. We carried out a meta-analysis based on a systematic literature review on the topic and an updated literature search in order to assess the overall effectiveness of cybersecurity training programs. We identified 69 studies that were eligible for inclusion.

Our analysis shows that training overall has a positive effect on end-users (d = 0.75, 95%CI [0.58, 0.92]), particularly when assessing predictors of behaviour such as attitudes or knowledge (d = 1.02, 95%CI [0.58, 1.46]). Interestingly, studies assessing changes in behaviour are not able to match these results (d = 0.36, 95%CI [-0.09, 0.80]), showcasing a clear inability of current training approaches to change behaviour. The effect sizes obtained in this meta-analysis can act as smallest effect sizes of interest (SESOIs) for future research on end-user cybersecurity training. Further findings with regards to the effectiveness of individual training methods and other moderators are discussed.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

评估网络安全培训对最终用户的影响：一项元分析

终端用户的网络安全行为继续成为越来越多的话题，无论是在组织还是在学术界，因为终端用户通常被认为是抵御网络攻击的最后一道防线。不幸的是，最终用户往往没有意识到他们从事了危险的网络行为，从而可能使自己和他们为之工作的组织变得脆弱。试图通过培训计划改变终端用户的行为已成为许多组织的普遍做法，这一趋势也反映在学术文献中。虽然关于该主题的各种文献综述是可用的，但迄今为止还没有通过荟萃分析对这些培训计划的有效性进行评估。为了评估网络安全培训计划的整体有效性，我们基于对该主题的系统文献综述和最新文献检索进行了荟萃分析。我们确定了69项符合纳入条件的研究。我们的分析表明，总的来说，培训对最终用户有积极的影响（d = 0.75, 95%CI[0.58, 0.92]），特别是在评估态度或知识等行为预测因素时（d = 1.02, 95%CI[0.58, 1.46]）。有趣的是，评估行为变化的研究无法与这些结果相匹配（d = 0.36, 95%CI[-0.09, 0.80]），这表明当前的训练方法显然无法改变行为。本荟萃分析中获得的效应量可以作为最小感兴趣效应量（sesoi），用于未来对终端用户网络安全培训的研究。进一步的发现，关于个别训练方法和其他调节因素的有效性进行了讨论。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.