In the face of rising cyber threats, particularly SQL injection (SQLi) attacks, improving employee awareness through efective training is critical. This paper presents a comparative study evaluating the impact of a practiceoriented training approach versus a purely theoretical one on learners' understanding and self-eficacy regarding SQLi. Using a pre- and post-test design with 28 participants, the study examined learning outcomes across three knowledge dimensions-basic, application, and transfer-alongside perceived ability and satisfaction. Results show that the combination of theory and hands-on exercises significantly enhances knowledge acquisition and confidence, particularly in basic and application knowledge. While transfer knowledge gains were limited, the ifndings emphasize the importance of integrating applied content in cybersecurity education. Limitations and future research directions are discussed to improve assessment depth and generalizability.
This paper aims to investigate whether practice-oriented training formats can significantly improve learners’ understanding and practical competence in identifying and mitigating SQL injection vulnerabilities compared to traditional theoretical training approaches.
With the increasing digitization of business processes and the proliferation of interconnected systems,
the attack surface for malicious actors has expanded dramatically. Among the most persistent and
impactful vulnerabilities in modern web applications is SQL injection (SQLi), which exploits improper
handling of user input in database queries. Despite longstanding awareness, SQLi remains prevalent
and continues to cause high-impact breaches across sectors [
Beyond technical defenses, the human factor remains a critical vulnerability. Studies highlight that a large proportion of security breaches are facilitated by insuficient awareness and training of system users and developers [2]. As such, improving cybersecurity awareness through training is now a central strategy in organizational risk management [3].
While numerous awareness programs exist, their efectiveness varies widely. In many cases, training is delivered through static, theoretical formats that fail to equip learners with practical skills or the confidence to apply them. Particularly for small and medium-sized enterprises (SMEs), the challenge is acute: limited resources often prevent investment in interactive or customized security education [4]. According to the Austrian Federal Criminal Police Ofice, cybercrime is increasing sharply, with a notable drop in resolution rates [5]. These trends underline the need for more impactful, scalable training models.
This study explores whether incorporating practical exercises into a theoretical training module improves learning outcomes and perceived capability in identifying SQLi threats. This is subsumed in the following overall research question:
What is the impact of a practice-oriented training approach on learners’ knowledge acquisition and perceived self-eficacy regarding SQL injection, compared to a purely theoretical training approach?
The presented results of this paper exclusively focus on SQL injection. Other attack vectors such as cross-site scripting (XSS) were part of the original study but are excluded here to maintain a focused and coherent contribution. Likewise, technical implementation aspects of the training platform are not the subject of this paper. Defense mechanisms are addressed only at a conceptual level, supporting the didactic framing of the training.
To contextualize the training approach and its relevance, this chapter provides an expanded discussion of the cybersecurity landscape, the attack life cycle, SQL injection as a persistent vulnerability, and key defensive measures. These foundations establish the rationale for integrating practical exercises into cybersecurity education.
Cybersecurity has evolved from being a purely technical discipline to an integral component of organizational risk management strategies. Increasing digitization and interconnected IT environments amplify both the complexity and potential impact of cyberattacks. Reports consistently highlight that cyber incidents now represent one of the most critical operational risks for enterprises, on par with ifnancial and compliance risks [ 6]. Beyond the immediate financial implications, breaches frequently trigger reputational damage, legal penalties, and regulatory obligations, particularly under frameworks such as the General Data Protection Regulation (GDPR) [7, 8].
A proactive approach to cybersecurity therefore extends beyond deploying technical controls; it requires the integration of human-centered measures such as training and awareness programs [3]. Numerous studies indicate that technical safeguards alone cannot eliminate vulnerabilities caused by user error or insecure coding practices [2]. Consequently, efective risk management frameworks increasingly incorporate continuous training to reduce human-related weaknesses, strengthen security culture, and ensure compliance with industry standards [4].
Understanding attacker methodologies is vital for designing efective training programs. The Cyber Kill Chain model, developed by Lockheed Martin, conceptualizes a typical cyberattack as a sequence of seven phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives [9]. By breaking down complex attacks into discrete steps, this model illustrates how adversaries progress from initial reconnaissance to achieving malicious goals, such as data exfiltration or system compromise [10].
From a pedagogical perspective, the Cyber Kill Chain is valuable for structuring defensive thinking. It helps learners understand not only where vulnerabilities exist but also when and how interventions can be most efective. In the context of this study, the model supports the argument for practical exercises: while theoretical knowledge may help learners recognize high-level concepts, hands-on practice enables them to identify and disrupt specific stages of an attack, thereby translating abstract concepts into actionable defense strategies.
SQL injection (SQLi) remains one of the most prevalent and damaging web application vulnerabilities,
ranking consistently among the top security risks identified by OWASP and CVE databases [
Despite being a well-documented vulnerability for over two decades, SQLi persists in modern systems. This persistence can be attributed to several factors: (1) widespread use of legacy systems that lack robust safeguards, (2) inconsistent adoption of secure coding practices, and (3) inadequate developer training on preventive measures [13]. The impact of SQLi can be severe, ranging from unauthorized disclosure of sensitive data to full system compromise, with cascading efects on operational integrity and regulatory compliance [13].
Addressing SQLi efectively therefore requires not only technical solutions, such as parameterized queries and input validation, but also comprehensive awareness among developers and IT personnel. This connection underscores the rationale for this study: bridging the gap between theoretical understanding and practical competence in mitigating SQLi vulnerabilities.
Mitigating SQLi vulnerabilities requires a layered defense strategy that combines secure coding practices, architectural safeguards, and proactive validation mechanisms. According to OWASP guidelines, one of the most efective measures is the use of prepared statements (also known as parameterized queries). These enforce a strict separation between SQL logic and user-provided input by defining the query structure in advance and binding external data as parameters. This approach ensures that user input cannot alter the intended execution flow, efectively eliminating the primary attack vector for SQLi [ 13].
Complementing this measure, stored procedures ofer an additional layer of security by encapsulating SQL logic in predefined database routines. These routines operate under restricted execution rights and minimize the need for dynamic query construction, thereby reducing exposure to injection vulnerabilities [11]. When combined with robust access control policies, stored procedures can significantly limit the impact of potential exploitation.
Another critical element is allow-list input validation, which proactively defines acceptable input patterns based on data type, character set, and length constraints. Unlike blacklisting—where known malicious patterns are excluded—allow-listing only permits predefined valid inputs, thereby reducing the likelihood of unanticipated attacks [13]. For maximum efectiveness, this approach should be supported by regular expressions, schema validation, and centralized input handling routines.
These defensive practices, while highly efective when implemented correctly, rely on consistent developer awareness and adherence to secure coding standards. Consequently, the inclusion of such concepts in cybersecurity training is essential. The goal is not only to convey abstract principles but also to demonstrate practical application through realistic scenarios, reinforcing the connection between defensive theory and implementation in real-world systems.
This chapter outlines the research methodology used to assess the efectiveness of the proposed practice-oriented cybersecurity training. It details the underlying evaluation framework, research design, hypothesis development, survey instrumentation, and validation procedure, with a focus on understanding learning gains related to SQL injection and stored cross-site scripting (see 1.
To investigate the impact of integrating interactive, practice-based elements into cybersecurity training, a comparative quantitative study was conducted. The objective was to determine whether learners exposed to a combined theoretical and practical learning environment demonstrate significantly greater knowledge acquisition than those receiving only theoretical content.
The study design followed a pre-test/post-test format with a between-subjects comparison, where participants were randomly assigned to one of two conditions: Group A received purely theoretical instruction, while Group B received identical theoretical content supplemented by hands-on exercises on a controlled training platform. Knowledge gain was measured by comparing pre- and post-test results, while learner self-eficacy and satisfaction were evaluated using Likert-scaled survey items.
The evaluation framework was guided by the well-established Kirkpatrick Model [14], which provides a comprehensive four-level structure for assessing training efectiveness. Level 1, Reaction evaluates participants’ satisfaction with the training and their perceived self-eficacy—in this study, specifically their confidence in identifying SQL injection vulnerabilities. Level 2, Learning assesses the degree to which participants acquire intended knowledge, skills, and attitudes, which was measured here using structured pre- and post-tests on cybersecurity concepts. Each test comprised five multiple-choice items aligned with Bloom’s taxonomy, including two questions on basic knowledge (e.g., “Which of the following best describes an SQL injection?”), two on application knowledge (e.g., “Which query construction introduces the highest SQLi risk?”), and one on transfer knowledge involving an unfamiliar scenario.
The remaining levels of the model, while not implemented in the present study, are important for understanding the broader framework. Level 3, Behavior focuses on the transfer of learning to actual practice, i.e., whether participants apply the acquired knowledge in their work or daily behavior. Level 4, Results evaluates the training’s ultimate impact on organizational or systemic performance outcomes, such as reduced security incidents or improved compliance rates.
This two-level evaluation design—centered on Reaction and Learning—enabled triangulation of objective learning outcomes and subjective participant perceptions. These are both critical dimensions in assessing the short-term efectiveness of cybersecurity training interventions, particularly in settings where long-term behavioral tracking (Level 3) or organizational metrics (Level 4) are impractical due to temporal or contextual constraints.
Based on the study’s objectives and grounded in learning science and cybersecurity training literature, the following four hypotheses were formulated: • H1: Group B achieves significantly higher overall learning gains than Group A. • H2: Group B demonstrates significantly greater improvement in application-level knowledge than Group A. • H3: Group B achieves higher gains in transfer knowledge compared to Group A. • H4: Participants with less than six years of IT experience in Group B achieve above-average learning gains compared to the overall average.
These hypotheses aimed to test both content-specific knowledge acquisition and diferential efects across subgroups, particularly based on prior IT experience. Participants provided background information including self-reported years of IT experience, prior exposure to security training, and professional role. IT experience was captured as a continuous variable in years.
The central research instrument consisted of pre- and post-tests aligned with Bloom’s revised taxonomy [15], focusing on three cognitive levels: factual knowledge (basic understanding), application (use of concepts in familiar contexts), and transfer (application in novel situations).
Each test included five questions, divided across the three knowledge dimensions: • Basic Knowledge (2 items): Definitions and recognition of SQLi/XSS mechanisms. • Application Knowledge (2 items): Problem-solving based on realistic attack scenarios. • Transfer Knowledge (1 item): Application of learned principles to unfamiliar but analogous contexts.
Identical questions were used in the pre- and post-tests to measure learning gains. All questions were multiple choice with equal weight to ensure fair aggregation of results across groups and categories.
Each correct answer was awarded one point, resulting in a maximum test score of five points. By assigning uniform weights across all items, we ensured internal consistency and comparability across test conditions. Although the transfer category included only a single item, it was weighted equally to reflect its importance in gauging deep conceptual understanding.
A total of 28 participants took part in the study. They were recruited from a technically literate population with varying degrees of cybersecurity experience. Participants provided informed consent and were randomly assigned to Group A or B based on anonymized IP registration, which was deleted post-analysis in accordance with data privacy protocols.
To protect participant identity while preserving test traceability, all responses were linked using pseudonymous IDs. The collected data were cleaned and standardized before analysis. No participants were excluded.
The cohort included both entry-level learners and professionals with IT backgrounds, ensuring a diverse sample to test hypothesis H4 related to prior experience. The threshold of six years was selected based on prior literature identifying this as an approximate boundary between early-career and experienced IT professionals [16]. While the sample size limits generalizability, it allowed for meaningful statistical comparisons under controlled conditions.
This chapter presents the results of the quantitative evaluation of the cybersecurity training formats and interprets them with regard to the defined hypotheses. The data were analyzed using non-parametric statistical tests due to the small sample size and non-normal distribution. The central research question guiding this analysis is whether integrating practical exercises significantly improves learners’ understanding of SQL injection and their ability to apply this knowledge in realistic contexts.
The data analysis reveals several notable patterns. First, participants in the combined training group (Group B) consistently outperformed those in the theory-only group (Group A) across all tested knowledge dimensions. This performance gap was particularly pronounced for basic understanding and applied knowledge of SQL injection and cross-site scripting, supporting the notion that practice-based reinforcement enhances knowledge retention and applicability.
However, the analysis also revealed limitations in knowledge transfer. Despite modest improvements in the transfer category, the results were not statistically significant. This finding suggests that deep conceptual understanding, required for transfer to unfamiliar situations, may require longer or more complex instructional interventions.
Each of the four evaluated hypotheses is discussed below, based on descriptive statistics and inferential analysis using the Mann–Whitney U test.
(theory + practice) achieved a mean learning gain of 5.86 points, while Group A (theory only) averaged 2.21 points. The Mann–Whitney U test yielded a statistically significant result with a large efect size ( = 0.726), indicating that the practical components contributed meaningfully to learning success. The result supports H1 and confirms that practical exercises improve overall knowledge acquisition in SQL injections.
H2: Group B demonstrates significantly greater improvement in application-level knowledge than Group A. Application knowledge scores, which reflect learners’ ability to solve concrete problems based on SQLi scenarios, showed a significant advantage for Group B. The mean learning gain in this category was 2.79 points for Group B compared to significantly lower scores in Group A. The statistical analysis revealed a large efect size ( = 0.752), confirming H2. These results align with prior research suggesting that active engagement with realistic scenarios enhances applied cybersecurity competence [17]. H3: Group B achieves higher gains in transfer knowledge compared to Group A. Transfer knowledge refers to learners’ ability to apply concepts to novel or unfamiliar scenarios. While Group B showed a slightly higher mean gain (0.786 points) compared to Group A (0.643 points), the diference was not statistically significant ( = 0.286). The limited efect could be attributed to several factors: (1) only one transfer item was included in the test, reducing the sensitivity of the measurement, and (2) transfer generally requires abstract reasoning and time for reflection—conditions not fully met in this study’s short intervention format. Therefore, H3 must be rejected.
learning gains. To assess whether less experienced participants (IT experience < 6 years) benefited more from the combined approach, their mean gain (6.42 points) was compared to the overall Group B average (5.86 points). While this subgroup demonstrated higher learning gains, the diference was not statistically significant. Nevertheless, the trend suggests that interactive, hands-on formats may be particularly helpful for novices, a finding consistent with constructivist learning theories [ 16]. Thus, H4 is partially supported.
The primary research question posed by this study was:
What is the impact of a practice-oriented learning approach on learners’ knowledge acquisition and perceived self-eficacy regarding SQL Injection and Stored Cross-Site Scripting, compared to a purely theoretical training approach?
The findings demonstrate that integrating practical training elements significantly improves learning
outcomes in foundational and application-level cybersecurity knowledge. This is particularly relevant
in the context of known vulnerabilities such as SQL injection, which continue to be a major threat to
web applications [
Moreover, the study underscores the value of active learning formats in boosting self-eficacy—an important determinant of behavior change in security practices [17]. While the short duration of the intervention limited deep transfer learning, the results clearly support the integration of practice-based content in future cybersecurity education formats.
While the findings of this study provide valuable insights, several methodological limitations warrant explicit consideration. These limitations influence both the internal validity of the results and their generalisability to broader contexts.
The sample consisted of 28 participants, which, although suficient for exploratory analysis, constrains statistical power and increases susceptibility to Type I and Type II errors [18]. Furthermore, the cohort was relatively homogeneous, consisting primarily of technically literate individuals who voluntarily opted into the study. This may introduce self-selection bias and reduce the representativeness of the ifndings, particularly for learner groups with less technical background or lower intrinsic motivation. Future research should address these limitations by recruiting larger, more heterogeneous samples, ideally incorporating participants from diverse professional domains and varying levels of technical expertise.
The evaluation relied exclusively on multiple-choice questions, which, while suitable for measuring factual knowledge and structured application, may inadequately capture nuanced understanding or complex reasoning processes essential for real-world cybersecurity decision-making. Additionally, the measurement of transfer knowledge—the ability to apply principles to unfamiliar scenarios—was limited to a single item. This narrow design likely reduced sensitivity in detecting deeper cognitive learning outcomes, which are central to long-term behavioral change. Future studies should employ mixedmethod approaches, integrating open-ended questions, multi-step problem-solving tasks, or qualitative methods such as interviews and think-aloud protocols to achieve richer and more comprehensive assessments.
The practical training component was delivered within a brief intervention window, which, although suficient for demonstrating short-term gains in basic and application-level knowledge, limits the ability to foster and measure sustained learning retention or higher-order cognitive processes. Transfer of learning typically requires iterative practice, reflection, and exposure to varied contexts [ 19]. Future research should therefore consider longitudinal designs with extended interventions and post-training follow-ups to evaluate both knowledge durability and behavioral integration in professional environments.
This study examined the efectiveness of integrating practical exercises into cybersecurity training focused on SQL injection, comparing a theory-only approach with a combined theory-and-practice format. The findings clearly demonstrate that practice-oriented training significantly enhances learners’ knowledge acquisition and self-eficacy, particularly in basic and application-level competencies. These results support the argument that experiential learning formats ofer greater value than purely theoretical approaches in preparing individuals to recognize and mitigate security vulnerabilities.
Despite these promising outcomes, the research is subject to important methodological constraints that inform directions for future work. The modest sample size and relatively homogeneous participant profile limit statistical power and generalisability. Expanding future studies to include larger and more diverse cohorts will improve robustness and relevance across diferent learner populations. Furthermore, the reliance on multiple-choice assessments, combined with the inclusion of only a single transfer knowledge item, restricts the ability to capture nuanced reasoning and deeper conceptual understanding. Employing adaptive assessment strategies—such as open-ended problem-solving tasks or qualitative interviews—would allow richer insights into cognitive processes and learning strategies. Finally, the brief duration of the intervention constrains evaluation of long-term retention and behavioral transfer, which are essential for meaningful impact in professional contexts. Longitudinal research designs incorporating extended interventions and complex real-world scenarios are recommended to address this gap.
By systematically addressing these limitations, future research can contribute to the development of scalable, evidence-based training models that foster not only short-term knowledge gains but also sustained behavioral change. This will be critical for equipping organizations with the human capabilities needed to counter evolving cyber threats in increasingly complex digital ecosystems.
During the preparation of this work, the author(s) used ChatGPT 4o in order to: Grammar, spelling check and improving the language quality. After using the tool, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content. Additionally figure 1 was built with the support of napkin.ai.