bility to cybercrime and social engineering attacks are reported in the peer reviewed literature? Individuals are more susceptible to social engineering attacks for a variety of reasons. In general, social engineering attempts appear more efective if the attacker is able to establish trust with the victim, putting them at greater risk [8]. Individual factors or personality traits can also increase the likelihood of someone falling victim to social engineering attacks. It is possible this research, we highlight the various human factors goes on to more advanced learning methods which inthat can make an individual more susceptible to attack volve multiple hands-on exercises on emulated/simulated as reported in the academic literature. components [5]. The performance is evaluated and a preliminary application is presented, where a training

RQ2 – Why do we need a personalised cyber programme for smart shipping personnel is established security framework for training employees within an [5]. organisation? Factors that may help overcome the dificulties posed Personalized cyber security frameworks will enhance the by implementing a training and awareness program existing security protocols and methodologies followed against social engineering are studied in research by Alduring training and will incorporate new security layers dawood and Skinner [3]. The authors describe the need of which will consider even the human factors that impact information security training and awareness programs is an individual’s cyber behaviour and awareness. to harness employees with skills to identify, disable, and report any social engineering attempts to misuse their

Section 2 of this research highlights the aims and chal- resources. The study also makes recommendations based lenges that this paper intends to overcome. Section 3 on the viewpoint of security decision makers within orpresents literature review studied from diferent research ganizations on how to address challenges [9, 10, 11, 12]. papers in order to formulate results. The design and Key issues faced by cyber security training and awareplan followed in this research has been presented in sec- ness programs have been identified in research by Kortion 4. The results identified and formulated have been pela [7] and the probable benefits that can be derived by explained and tabulated in section 5. combining existing data sources to enhance these programs using learning analytics which is an upcoming ifeld in data analytics has been explained. The author 2. Aims and challenges even mentions that in order to potentially improve cyber security metrics, organizations and professionals should Training and awareness programs present several chal- harness the use of data analytics to tackle the issues of lenges such as "business environmental, social, constitu- how users fail to identify risks and a ’lack of understandtional, organizational, economical, and personal". ’Trust- ing on how cyber security is best learned by its users ing nature of humans’ is another factor that hinders [7]. awareness and training programs against social engineer- Importance of putting in place formal educational and ing is a low level of interest found within the personnel. training standards to enable organisations to manage Moreover, problem with modern training techniques is human factors related to cyber security efectively has that they take a lot of time and even lack training budget been highlighted in the research of Nifakos et al [2], ul[3]. timately reducing cyber risks. The research examined

The absence of cybercrime, which is instrumental in human factors, but a systematic methodology for harexploiting both the vulnerabilities of systems and human monising the research findings should be developed to weaknesses, is one of the biggest obstacles to implement- allow cyber security experts to objectively evaluate these ing digital transformation strategies. Employees must be ifndings in order to support securing the IT infrastructure provided with the proper training in order for them to of healthcare facilities in future research [2]. be able to recognize, flag, evade, and disable malicious How an interdisciplinary approach based on a human attacks [3]. To upgrade the cyber security training pro- factors approach can contribute to the science of security grammes more human centric, an awareness or training has been conveyed in the research of Proctor and Chen framework must be implemented for all personnel, which [1]. The authors describe the importance of human facinclude the major cyber risk aspects and its awareness tors in security by using two examples that illustrate the factors [5]. contribution of a scientific approach to security detection

There is a need to investigate the similarities and dif- of phishing attacks and the selection of mobile applicaferences between men and women with regard to cyber tions [1]. Finally, they conclude that in order to consecurity beliefs and behaviours like personality, cultural tribute to cyber security, human factors experts should background, emotion reaction, age, and motivation. utilize their existing knowledge of applied information processing and decision making [1]. 3. Literature review Methods for measuring, quantifying, and evaluating human organizations’ security posture, especially those Hatzivasilis et al. in [5], describe a methodology to adapt within large corporations and government organizations cyber security training programmes dynamically. They have been investigated by Brian et al in their research mention how a trainee consumes the primary teaching [13]. The study presents the results of two rounds of materials such as lectures, tutorials, videos, etc. and experiments conducted at Columbia University using bogus phishing emails to train approximately 4000 staf and by a second phishing attack that had diferent content students [13]. The authors further suggest that it is pos- [17]. According to the results of the study, gender plays sible to train users using decoy technology to anticipate a significant role in cyber security awareness within the possible threats, and the measurements can be applied to Thai cyber ecosystem since Thai female employees have multiple organizations in order to gauge their security a higher level of cyber security awareness than male posture as compared to each other [13]. employees as well as the diferences between the ages

Correlation of human characteristics with cyber secu- of Thai users’ cyber security awareness [17]. Although rity behaviour intentions has been researched by Gratian this research is just limited to Thai employees but can be et al [14]. The study estimated that 5 to 23 percent of considered in general sense too. the variance in the reported cyber security behaviour in- By identifying efective ways to encourage cyber secutentions was attributable to individual diferences based rity education development and address gender gaps in on demographic factors, personality traits, risk-taking the cyber security workforce, the overall goal in study by preferences, and decision-making styles in 369 students, Amo et al. [18] is to contribute to the literature on cyber faculty, and staf at a large public university [14]. security education. Their findings indicate that female

The purpose of study by Anwar et al. [4] was to in- students were significantly more engaged and eficacious vestigate the efect of gender as a deciding variable in in cyber security, which is quite promising in regards to the relationship among the psychosocial factors and self- gender gaps in cyber security [18]. reported cyber security behaviours among staf of diverse The study by Gillam and Waite [19] sought to idenorganizations. The results of this study indicate statisti- tify the psychological factors that influence workplace IT cally significant diferences between men and women in end users’ motivation to learn about cyber awareness and terms of computer skills, prior experience, cues-to-action, avoid threats. As a result of this study, gender-related and security self-eficacy. Self-eficacy among women is considerations were revealed that can be used to guide significantly lower than that among men, so they could cyber security training of IT end-users such as threat be possibly targeted for intervention [4]. Thus, they con- avoidance in human resource development contexts, esclude that by addressing the relevant constructs of the pecially when it comes to motivation [19]. cyber security behaviour, we can develop gender-specific Study of ’Gender and locale diferences in cybercrime cyber security training and interventions to improve em- awareness among adolescents’ was conducted by Thakur ployees’ attitudes and behaviour [4]. and Kaur [20]. The findings showed that there were

Human factor is one of the major contributors to the significant gender diferences between rural and urban vulnerabilities of an information system, and disparate young males and young females in terms of cybercrime attack vectors which are being utilized today to exploit awareness. human weaknesses have been examined in research by By bringing together research from unique and diverse Radu et al [15]. The authors further state that a social en- disciplinary backgrounds, study by Jeong et al. [21] engineering awareness and training program must ensure ables us to increase our understanding and provide a that employees have a basic understanding of how social framework for efective cyber security strategies by proengineering attacks are conducted [15]. Furthermore, viding a comprehensive overview of the socio-cultural employees must have the knowledge and training neces- dimensions of cyber security. This special issue addresses sary to detect an attack, respond appropriately, and find people, culture, and cyber security research that enriches a way to prevent exposure to social engineering threats our understanding of them. Following the expert review [15]. process, a framework and assessment tool were devel

Review of relevant theories and principles which pro- oped to highlight strengths, weaknesses, and opportunivide insight through an interdisciplinary framework that ties [21]. encompasses human factors, behavioural cyber secu- The analysis in research by Creese [22] identifies that rity, and modelling and simulation has been carried out on the basis of their development and the extent of Maalem et al [16]. The authors mention that it is impor- their Internet use, some countries have demonstrated tant to customize cyber awareness training to employees greater maturity in capacity building than were expected. considering their diferent credentials and levels of access. Through a cross-national and cross-regional compariThey further state that employees need to be trusted, but son of capacity building, this paper shows regional difthey must also be taught technology and cyber aware- ferences are largely influenced by two key national difness, and compliance needs to be verified [16]. ferences in the extent of Internet use and the level of

An extensive financial institution in Thailand con- development [22]. ducted study in research by Daengsi et al. [17] to assess A three-part study of people’s perceptions of cyber secyber security awareness among approximately 20,000 curity is presented by Renaud et al [23]. Several aspects employees. An initial phishing attack was conducted of people’s lived cyber security experiences were conwhere knowledge transfer was achieved and followed firmed by the investigation where one blind spot issue

awareness programs are modified by adding the diferent human factors which have been mentioned in the paper. This helps to develop a personalised cyber training framework. The framework developed and evaluated would be used to train an individual exhibiting specific human centeric factors to build their cyber awareness.

where as a part of the test, a phishing email ofering was identified along with negative attitude of people to- more Gmail storage was sent by the experts [17]. The ward cyber security that are widespread but not universal data from this test was gathered, processed, and analysed is studied [23]. and found that female employees’ responses were always

Using open-ended responses from a pilot study and lower than those of male employees [17]. It indicates that congressional debates, research by Cheung-Blunden et females have a better level of cyber security awareness al. [24] sought to identify behavioral categories in cyber of phishing than males [17]. A positive growth pattern security solutions. By distinguishing fear, three types of in cyber security self-eficacy is observed in females comsafety behaviors which are avoidance, surveillance and pared to males and females gained more problem-solving vigilance were identified in this study and were expected proficiency than males over time [ 18]. While young feto be mutually exclusive because emotion was expected males have higher mean values than young males in cases to have unique motivational power [24]. where there is a high level of cybercrime awareness, they

A hacking of one’s smart security camera represents are ahead in cases of medium levels, and in cases where one of the most emblematic examples of a cyber security there is a low level of cybercrime awareness, young febreach, and study by Budimir et al. [25] explored which males tend to have higher mean values than young males personality characteristics systematically relate to these [20]. processes. An important link between a cyber security Males tend to react more aggressively to cyberbullybreach situation and possible long-term mental health ing and have a deeper emotional response in situations efects was discovered in this study [25]. of hacking, while females tend to have more intense emotional reactions. Using digital technologies, cyberbullying involves repeated behavior meant to intimidate, 4. Research plan and Methodology anger, or shame the target [26]. Mobile phones, messaging platforms, gaming platforms, and social media The research implementation is carried out in two phases. platforms can all be used for this [26]. ’Remote sexual The first phase is about carrying out an in depth analysis abuse’ occurs more often against women and girls than and researching into the topic of human centric issues men - coerced to pose naked online or stalked via internet of cyber security. It involves referring of research pa- [27]. The term cyberstalking means stalking someone pers and articles through the use of university library through the use of the internet. Stalkers are using email and other platforms. Investigation on the importance of message applications, posting messages on the web, and human centric aspects in cyber security, how to build sometimes even social media, such as Facebook, Instaapps and training materials applicable with personality, gram, and many more, to continually try to approach gender, cultural background, emotion reaction, age, moti- someone online without their consent [27]. vation, and hidden biases is carried out. The second phase Based on the observations and results of the studies involves development of a framework which includes the that have been referred to for this research, the Table 1 above-mentioned aspects and to provide guidelines as to shows the things that need to be considered for cyber how the framework can be useful for organizations for training specific to an individual’s gender. carrying out cyber trainings and awareness programmes.

A secondary research methodology is employed in this 5.2. Age: research, since this study relies on already existing data.

Various sources such as published journals and reports A person’s age can also be considered a crucial factor in the University library and websites are used for the when determining a person’s identity, since people at collection, organization, and analysis of data. diferent stages of life experience diferent social, organizational and environmental challenges and contexts [17].

Self-eficacy and precautionary behavior were significantly positively correlated with self-eficacy in youngsters, but in older group the correlation was negatively up files to prevent future issues [30]. significant, but not statistically significant [19]. As internet use among seniors increases, the elderly

Adolescents are most at risk for Cybercrime due to have become more vulnerable to online scams [31]. A their attraction to the internet [20]. Therefore, adoles- majority of seniors don’t protect their internet-connected cents are very much in need of awareness/knowledge devices with passwords, leaving them vulnerable to those related to cybercrime, since failure to do so can harm who pick them up [31]. This group is also more likely to them financially or emotionally [ 20]. The teenager is be at risk because they share their personal information already seeking the truth only through his own experi- through social media platforms like Facebook and Twitter, ences, if the child is ready to obey the authority of an as well as have to use online services and apps to access adult, this is the age of active knowledge and personal health care, insurance, housing, voting, financial, and development [28]. Teenagers often commit acts that can voting services [31]. lead to undesirable consequences for the simple reason Based on the observations and results of the studies that they try to protect themselves from adults’ influence, that have been referred to for this research, the Table 2 and they are easy targets for criminals because of their shows the things that need to be considered for cyber curiosity, openness, and lack of experience [28]. training specific to an individual’s age.

People between 18 and 25 years old are more vulnerable to phishing scams [7]. Every day, college students use 5.3. Culture: the internet for work and pleasure - to complete research for essays and assignments, to stay connected on social Social identity plays a definite role in how passwords media, to make online purchases, and to keep up-to-date are generated in diferent countries, with diferent users’ on entertainment news [29]. In the age of cybercrime, attitudes towards passwords [21]. Cyber security attithe sheer amount of data we share online puts us all at tudes, values, and practices vary even among countries risk. It is more likely that young people and college stu- that share the same values, attitudes, and practices due dents will fall for fraud scams as they use social media at to diferences in development and Internet usage across higher rates than other age groups and are statistically nations [21]. There is a significant diference between more susceptible to fraud scams [29]. the average maturity stage of Europe and Americas com

A survey of data protection and privacy profession- pared with those of other regions, and the diference is als found that 66 percent believed their employees were large enough, that average maturity stages are the same the weakest link in protecting their organizations from across all regions [22]. There is no statistically significyberattacks [30]. In spite of the automation of tedious cant diference in the average maturity stage between cyber security tasks, it’s still a good idea to provide em- the African and Asian regions, leading us to conclude ployees with online security awareness trainings such as that they are approximately equal in maturity [22]. password security, phishing and importance of backing America’s national and economic security is at risk from malicious cyber activity [32]. A key objective of the

America Europe Asia and Africa on a sad–happy scale, but may vary based on context, Awareness of Awareness of Awareness of individual identity, and action [23]. Cyber security is Ransomware Ransomware Ransomware viewed negatively by most people and these negative and Malware emotions are expressed unprompted [23]. To ensure that pKonloitwiclaeldlygemootif- pAowliatriecnalelyss mootif- pAowliatriecnalelyss mootif- unfamiliarity does not lead to uncertainty or negativity, vated attacks vated attacks vated attacks cyber security training must take specific steps to ensure Awareness of Awareness of Awareness of that they are sensitive to the fact that the concepts beBusiness Email Crypto-jacking Business Email ing introduced could trigger negative emotions and take Compromise Compromise particular measures to avoid this [24]. Personal motive Denial of service Awareness of The emotions of women were more intense and afattacks attacks server attacks fective, and the feelings of men were more likely to be Online payment Command-and- ifght/flight reactions [ 25]. A female typically experiences frauds control server more intense emotional reactions, more emotion during attacks instances of cyberbullying, and is more prone to anxiety during instances of hacking. A male typically reacts more aggressively during such situations [25]. Similarly, FBI’s cyber strategy is to put cyber adversaries at risk and older people experience less negative afective events impose consequences on them, and to change the behav- and have better emotion control skills, older people were ior of criminals and nation-states, who are confident they more likely to have proactive and cognitive/motivational can compromise U.S. networks, steal intellectual property replies [25]. and financial assets, and threaten critical infrastructure Cyber criminals often involve peoples’ fears as primary without taking any risks themselves [32]. weapons [36]. The ransomware that afects corporate net

Based on publicly available data, ENISA Threat Land- works has caused havoc, and, while online media stokes scape presents an overview of threats, threats agents, people’s fears, it may be easy to trick them into clicking and threats trends in Europe, providing an independent links or opening emails that exploit these fears [36]. A view of observed threats, agents, and trends [33]. Threats, data breach or other security incident tends to stress evmajor trends, threat actors, and attack techniques such eryone out and can lead to a variety of feelings, including as ransomware and malware, cryptojacking and online denial in the first moments, panic, anger, anxiety, even payment frauds are outlined in the 2021 report, along guilt [37]. In the midst of a crisis, and even before it with mitigation measures [33]. begins, it is imperative to remain calm and collected [37].

Due to their weak cyber defenses, African countries There has always been a reluctance among companies to have become a favourite target of international cyber- disclose data breaches, much of it due to simple embarcriminals, and financial institutions are in particular at rassment [38]. A malicious actor can misuse curiosity to risk of financial fraud, data theft, and malware attacks boost the efectiveness of their campaign by weaponiz[34]. The biggest cyber threats in an African context in- ing it [39]. Our curiosity can lead us to act impulsively, clude: online scams (such as phishing), digital extortion, without thinking things through, and sometimes even in business email compromise, ransomware and botnets an irrational manner [39]. The ability to manipulate the [34]. More than half of Asian companies (64 percent) target so the malicious actors can get away with mistakes have been afected by cyberattacks, and privacy breaches or inconsistencies that the target would otherwise notice are the top concern for nearly 7 out of 10 respondents (68 allows them to get away with mistakes [39]. percent), followed by ransomware (58 percent) [35]. The Based on the observations and results of the studies majority of Asians perceive privacy breaches and data that have been referred to for this research, the Table 4 loss as the top cyber threats, but 26 percent haven’t im- shows the things that need to be considered for cyber proved their security systems, while 31 percent haven’t training specific to an individual’s emotions. improved their data protection [35].

Based on the observations and results of the studies that have been referred to for this research, the Table 3 shows the things that need to be considered for cyber training specific to an individual’s culture.

5.5. Framework Implementation

framework is developed using Typeform forms [40]. The framework associates for cyber awareness training program for individuals. Guideline for the framework is provided in its introduction as shown in figure 2.

Referring to figure 3, the ideology is, first questions specific to the human factor (gender, age, culture and emotion evaluation) are asked. For emotion factor, two case scenarios are presented and options for individual’s emotional reactions are provided. According to the options selected, the individual’s emotional behaviour will be identified.

As shown in figure 4, based on the responses to the four human factors, questions related to awareness/knowledge of specific topics are asked. If the individual is not aware of a particular topic, he/she will be guided to a link, providing the required knowledge. However,if an individual answers "yes", he/she will be provided with a test question to test their knowledge regarding the respective topic. If the answer is correct, they move to the next topic. However, if the test question is answered wrong, they will be provided with a training link that must be viewed to impart awareness about cyber influence of that particular human behavior.