<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Human Centric Framework for Customising and Producing Efective Cybersecurity Training Materials</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Ashwinraj Giriraj</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Sherif Haggag</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Hussein Haggag</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>The University of Adelaide</institution>
          ,
          <addr-line>Adelaide</addr-line>
          ,
          <country country="AU">Australia</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Umeå University</institution>
          ,
          <country country="SE">Sweden</country>
        </aff>
      </contrib-group>
      <abstract>
        <p>These days organizational security breaches are widespread, and many of them can be traced back to human errors. As a result, companies must improve employee security awareness and their ability to engage in safe cybersecurity practices. To accomplish so, organizations should spend on cybersecurity training and awareness programs to urge employees to take an active role in adhering to security policies. Numerous organizations' cybersecurity training and awareness activities, on the other hand, fall short of their goals since most training programs focus solely on technical issues, leaving many human factors unaddressed, resulting in training failure. Unlike most other cybersecurity training programs, this study emphasizes the importance of human factors in cybersecurity and the need for successful cybersecurity training and awareness programs in businesses and provides best practices that will assist organizations in developing and implementing efective cybersecurity programs that account for human factors. Also, the end objective of this research is to implement a framework that will suggest personalized cybersecurity training materials based on the end-user's knowledge about cybersecurity.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Cybersecurity</kwd>
        <kwd>human factors</kwd>
        <kwd>framework</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>
        action, and so on, are all important considerations when
developing efective cybersecurity training programs for
Several successful cyberattacks against businesses have employees in the workplace [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ]. The end-user might
occurred in recent years. Consequently, more companies have diferent skill sets and will be working on diferent
have become concerned, and cybersecurity is now one of roles in an organization. So, the training for an employee
the most important concerns in today’s corporate world. who is working in an IT domain must be diferent from
People are commonly acknowledged as the biggest threat the training of a non-IT employee.
in the cybersecurity chain (Singer and Friedman, 2014 The following is how the rest of our research will be
cited in [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]). As security protection technologies improve, organized. Firstly, we will have a section for Motivation
attackers are particularly focusing on people as potential where we will cover the existing issues within
cybersecutargets for organizational vulnerabilities. If users aren’t rity training programs and we will go over some of the
properly trained or educated, even the most advanced best practices to create an efective cybersecurity training
security systems will not assist much. From one of IBM’s program. Also, we will be addressing two key research
security intelligence reports ,it is evident that more than questions. Then in the literature review, we have
sum80 percent of cybersecurity-related issues are due to hu- marised our findings from various pieces of literature.
mans (IBM 2014, cited in [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]). The Methodology section will summarize the framework
      </p>
      <p>
        For enhancing employee security behavior, firms must design which accounts for various human factors and
analyze the most common challenges in existing security thereby suggests an end-user with appropriate
cybersetraining and awareness programs, as well as strategies curity training materials. The results section will have
to increase the training’s efectiveness. Understanding the evidence for our findings after conducting extensive
the security behavior of both men and women, and the research. The last two sections will talk about our future
similarities and diferences of their security behaviors work and conclusion respectively.
[
        <xref ref-type="bibr" rid="ref2">2</xref>
        ], as well as human factors such as age, interest,
determination, motivation, perceived knowledge, cues to
      </p>
    </sec>
    <sec id="sec-2">
      <title>2. Motivation</title>
      <p>
        cybersecurity training programs that are persisting:
secure cyberspace as compared to secure
technologies [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ]. If there is a good culture, employees
will feel relaxed thereby they tend to be more
productive and can react quickly at times of negative
security events if need be [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ].
5. Organizations should invest in advanced
technologies that can minimize the number of
falsepositive threat alerts. This will help in reducing
the security fatigue [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ] for the employees.
• Firstly, the employees of diferent organizations
are bored with the content of cybersecurity
training programs which often contains dull
statements of policies and procedure. So the
employees often do not pay enough attention to the
content and are just concerned with completing the
training as quickly as possible. (Adam 2018, cited
in [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ])
• Secondly, as most organizations do not provide In this research we aim to address the two key research
any bonuses or benefits for employees who fin- questions:
ish security training, many employees lack ex- RQ1 – Why do we need to consider human factors in
citement, interest, and motivation. (Gross 2018; cybersecurity training?
      </p>
      <p>
        Kostadinov 2018, cited in [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]) Many companies have their cybersecurity training
pro• Thirdly and most importantly, several people feel grams, but still, they are facing cybersecurity issues of
that the training materials are too broad and feel one form or the other, like data breaches, ransomware
that they are not streamlined. So, the people do attacks, etc. For a successful cybersecurity training
pronot feel the relevancy and often do not engage. gram, it is vital to change employees’ attitudes and
ac(Adams 2018; Winkler 2016, cited in [
        <xref ref-type="bibr" rid="ref1 ref3">1, 3</xref>
        ]) tions and make them more mindful of security and
ac• Lastly, as diferent people have diferent learning countability. For which relating the awareness with their
styles since the training programs lack person- personal life is essential (Gross, 2018, cited in [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]). After
alization people find it dificult to follow the cy- weighing the importance of each human factor through
bersecurity training programs. (Kostadinov 2018; the associated drawback, it has on the outcome of a
trainNadkarni 2012, cited in [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]) ing program which can be seen from the human factors
table in the results section, it is important to account for
After some research on this study, we found several cy- those factors and rectify the drawbacks. In this RQ, we
bersecurity experts recommendations on some of the propose a framework that will account for age, gender,
best practices that can be followed for having successful motivation and self-determination, and emotion.
cybersecurity training programs. For instance, this sec- RQ2 – Why do we need personalization in cybersecurity
tion provides some of the example practices suggested training program?
by various experts. In all organizations, there will be diferent departments.
1. Enforce Accountability- Address how detrimen- Employees from each department will be having diferent
tal a lack of information and ignorance can be. knowledge about cybersecurity. An employee from IT
Instead of focusing on who failed the assessment, department might need diferent training from an
emconversely, focus on who did the right thing. In- ployee from a non-IT department as for the latter part it
dividuals who do not follow the rules should not would be enough to just have the basic cyber-awareness
be punished; instead, those who do should be re- whereas that’s not the case for an employee from the IT
warded. Ascertain that cybersecurity is included department. Providing generic cybersecurity training is
in each employee’s performance objectives. one of the most important existing issues as it can be seen
2. Relevancy- While framing the content of cyber- from the motivation section. In this study, we describe
security training materials, try to relate some em- the imperative need by emphasizing the importance of
ployees life scenarios like personal online safety. successful cybersecurity training programs and provides
Thereby, it will them in better engagement. Also, personalised cybersecurity training materials through a
there is evidence that employees tend to focus if framework that accounts for various human factors like
the information they receive is immediately rele- age, gender, self-eficacy, motivation, and emotion, and
vant to them, not only at work but also personally. suggests what areas to focus through cybersecurity
train(Adams 2018, cited in [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]) ing materials to improve cyber-awareness based on the
3. Create a testing environment where people can end user’s cyber-awareness. The above-mentioned
hupractically demonstrate the learned skills. This man factors were selected after weighing the importance
will act as a reinforcement for their learning and of each human factor through the associated drawback
people will know what action to take at the time it has towards the outcome of a training program and
of necessity. based on the finding which we have from our human
factors table in the results section and considering the
4. The culture within an organization must also be importance, the top four factors that contributed to the
prioritized, as this has a greater impact on having
success of a cybersecurity training program were age, afects the wider population and is applicable around the
gender, self-determination, motivation and emotion. globe, as well as non-technical viewpoints on the
human elements of cybersecurity. Although there is a lot of
research focusing on technical measures for improving
3. Literature Review cybersecurity, this paper tells the other part of the story
where the users perception and emotion are regarded as
As cybersecurity has been an important area of focus for elements that influence actual cybersecurity conduct. In
quite some time, in this paper we have chosen 20 difer- [
        <xref ref-type="bibr" rid="ref7">7</xref>
        ], the cyber behavior of mobile phone users in the
reent papers of diferent areas of focus like existing issues gion of Czech was investigated by polling 331 people who
within cybersecurity, training methods, human factors had no advanced experience in information technology.
within cybersecurity, modeling cybersecurity training The researchers combined the health belief model and
materials, and so on. a motive theory in their work. While having a general
      </p>
      <p>
        Authors of [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ] have examined the approaches and understanding of digital security is crucial, their findings
provides valuable insights that will help enterprises de- suggest that a greater focus on smartphone training to
sign and implement cost-efective, efective, and stimulat- enhance smartphone security behavior is also required.
ing cybersecurity training and awareness programmes. The authors of [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ] is on the behavioral aspects of
cyberMany of the conclusions and recommendations in this security awareness. The researchers of this study used
study are based on a survey of information from non- a gamified method to train and discovered that
gamifypeer reviewed websites and blogs, despite the fact that ing cybersecurity training led to greater self-reported
they provide important insights and actionable sugges- scores on mindsets, control beliefs, intents, and behavior
tions for developing successful cybersecurity training when compared to both non-cyber security games. The
and awareness programmes. researchers of [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ] focused another aspect of protection
      </p>
      <p>
        The focus in [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ] is to look into the parallels and dif- motivation theory, where the work to highlight the
references in cybersecurity views and behavior between lationship between risk perception and actual behavior
men and women. The purpose of this study is to inves- that either efectively nullifies or magnifies anticipated
tigate the diferences between men and women (gender susceptibility to common cyber-based concerns. The
auas a moderating factor) in terms of the above-mentioned thors also conducted a survey for students from various
components that influence cybersecurity beliefs and prac- backgrounds on their awareness of cybersecurity. The
tices. The findings reveal women’s self-eficacy was much ifndings indicated that the anticipated vulnerability may
lower than men’s, so it could be a focus for improvement be more dependent on one’s appraisal of experience than
as the attackers might launch gender-specific attacks. one’s actual knowledge or competence [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ]. Then in [
        <xref ref-type="bibr" rid="ref10">10</xref>
        ],
      </p>
      <p>
        In another research, the theoretical background was the focus was shifted to the emotional consequences of
based on self-determination theory and interest theory. being a victim. The author gathered some participants
These theories when combined, highlight the importance who described their breach experiences as containing
of interest in employees motivation for undergoing suc- emotion components, remedy action tendencies, and
psycessful cybersecurity training. Individuals natural inter- chological reactions. The results indicated that most
est in cybersecurity had mild moderating impacts on the people have had strong stressful reactions and are highly
links between self-determination and its important an- uncertain to take the right steps to handle the security
tecedents, according to their findings. Situational interest issues.
established during training, on the other hand, directly [
        <xref ref-type="bibr" rid="ref11">11</xref>
        ] was talking on feelings about privacy. The authors
enhances motivation for cybersecurity training. Overall, reviewed data from diferent persons recruited through
their study emphasizes the interaction between interest an agency who had been questioned about security
proband self-determination. The findings lead them to be- lems related to their website access as the emphasis for
lieve that training programmes require a UI that uses the study. According to the outcomes, respondents in
the principles of this model-based system [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ]. In [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ], this study were more anxious about people whom may
the authors proposed a method that seeks to promote share accessibility to their digital information than about
a user-centered, info-driven, thorough, and systematic the measures in place to protect their information.
approach to healthcare cybersecurity analysis and man- In [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ], the authors were interested in privacy
transagement. As a result, a range of non-technical remedies gressions that are capable of damaging victims. Using a
is ofered in order to enhance organizations human com- study technique and polling some guardians of aged
perponents and help them become more competent in the sons with psychological disabilities through
interviewface of cyber-attacks and dangers. Their findings show ers, the authors were able to find the opportunities and
that a Just Culture can aid organizations in understand- barriers that were employed to safeguard persons
confiing the various cybersecurity risks that their employees dentiality. The thematic analysis found three key tactics
confront. [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ] was showcasing the fieldwork that directly commonly used to assist preserve privacy in this
population: limiting private information, minimizing online that women are more susceptible to cyber-attacks and
publication of personal information, and giving prompt diferences in gender causes diferent perception of
techand frequent instantaneous guidance and training. The nologies.
significance of the last piece is focused on the way the
technology can be used to develop remedies to reduce
reliance on caretakers for privacy protection. A revolu- 4. Methodology
tionary approach has been introduced in [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ] to
portraying cyberspace that allows for a thorough examination of As the objective of this research study is to provide
efiall aspects. It presents a three-dimensional model of the cient cybersecurity training materials, the framework is
environment, based on past research, that is optimized designed with two major components, as seen in Figure
to better comprehend how its qualities, attributes, and 1. The first component of the framework will be
responsithreats can be understood at any location and time in ble for identifying human-centric issues. The framework
addition to highlighting an organization’s cybersecurity will have questions associated with human factors like
strategy in [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. The primary goal for the authors of the age, gender, self- eficacy, motivation, and emotion.The
paper [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ]is to have a human-centric approach that is second component will test the user’s knowledge of
cybased on humanism and conservative principles that may ber awareness through a set of topic-specific questions
be traced back to the Reformation, the early Middle Ages, relating to phishing, password strength, malware, and
and even ancient Greece. It prioritizes human people cyber hygiene. The reason for having the topics
menas key security targets, regardless of nationality or citi- tioned above is because testing the people on just one
zenship. Rather than emphasizing networks’ territorial topic won’t be of any use, nor does testing everyone
sovereignty, this perspective sees them as an integral on technical topics like ofensive security, as everyone
aspect of the modern exercise of human rights, such as doesn’t need to know too many technical details
regardaccess to information, freedom of thought, and freedom ing cybersecurity. So, to have a fair awareness test, it
of association. The caveats of the cyber risks posed by the would be appropriate to test them on basic cybersecurity
infodemic are explored in [
        <xref ref-type="bibr" rid="ref16">16</xref>
        ], as well as what it means topics. To cover the basics, there are a few important
for the broader network of cybersecurity and the pro- areas that everyone must be aware of. The cybersecurity
tection of human rights in cyberspace. It also looks into topics like cyber-hygiene, password strength, phishing,
the harm caused by cyberattacks on vulnerable groups, malware, etc., are some of the important primary topics
especially in light of COVID-19. With a focus on age which everyone should know about. So, we chose these
and gender, the authors of [
        <xref ref-type="bibr" rid="ref17 ref18 ref19 ref20 ref21">17, 18, 19, 20, 21</xref>
        ] reported as our topics for testing cyber-awareness.
a simulated phishing experiment that targeted a large Then, we primarily worked on implementing our
subset of employees from the university. They found framework mentioned in Figure 1, which was our goal.
substantial efects on various age groups, on email types, Initially, to start with, we started building framework
and barely significant gender diferences after analysing questions that will help us to assess the human factors
human characteristics. associated with each individual. We primarily focused
      </p>
      <p>
        In another interesting research, the authors in [
        <xref ref-type="bibr" rid="ref22">22</xref>
        ] on human factors like age, gender, motivation and
selfused a training system to study diferent people and how determination, self-eficacy, and emotion.So each of these
they behave when it comes to a phishing scenario. The human factors will have some questions in the
frameresearch couldn’t find any significant evidence which work, and the questions framed will have predefined
shows that a particular gender group is more vulnera- answers to assess the human elements. For each human
ble, instead the research showed that the people of age factor, there will be a baseline score. If the user scores
bebetween 18 to 25 are the most vulnerable to phishing. low the baseline score, that user is considered to have an
There was another research by the authors of [
        <xref ref-type="bibr" rid="ref23">23</xref>
        ], that issue concerning the associated human factor. If not, the
just shows exactly the opposite of what the authors of user has no problems concerning the above-mentioned
[
        <xref ref-type="bibr" rid="ref22">22</xref>
        ] had proved. It showed that the younger age group human factors. We will store the results from the first
people have a higher awareness on cybersecurity than component before moving to the second component of
that of older aged people. The Netherlands-based re- the framework. The second component will assess the
searchers [
        <xref ref-type="bibr" rid="ref24">24</xref>
        ] analysed a very large number of employ- end user’s knowledge of cybersecurity. To do that, we
ees and discovered that people under the age of 26 were ifrst collected topic-specific framework questions
relatthe least likely to view phishing links, while those over ing to essential cybersecurity and then started to build
46 were significantly more likely than the people under the scoring system. Building the scoring system was the
the age of 26. And finally, the authors of [
        <xref ref-type="bibr" rid="ref25">25</xref>
        ] concludes most challenging task, as we had to find a way to display
that women are noticeably more likely than men to fall an individual’s top three weakest areas in cybersecurity.
victim to phishing. Also, in the same paper the authors
have quoted that several other previous studies shows The logic behind the scoring system is that we had
a baseline score for each topic; if the individual scores
below the baseline, that will be flagged. In the end, the
weakest three flagged areas will be displayed as the areas
to be given importance in cyber awareness training. If
the user scores below the baseline score on all the topics,
then it is best advised to train that individual on all the
essential topics in cybersecurity. So, with the help of
our first component, we will be able to identify the issue
associated with the human factors, if any. Based on that,
best practices are recommended to ensure that the
human factor issue is taken care of through the suggested
training material.
      </p>
      <p>Similarly, with the help of the second component, an
individual’s weaker areas regarding cybersecurity will
be identified, if any. And based on that, the framework
will suggest the training materials focusing on the
identified weaker areas and the same will be sent as an email
to the user’s mail.Sending automated emails is
possible because we are using a client-server modeled server
configured with google API, and that sends the final
recommendations that are being generated to the user as
an email to the user’s mail.. To conclude, we call the
framework personalized because the training materials
are recommended based on human factors and the
cyberawareness knowledge associated with each user.
Therefore, the training materials suggested for each user are
unique and help the framework overcome the issue of
suggesting generic cybersecurity training material.</p>
      <p>To summarize all the technologies we have used in
building our framework from scratch : To build the
frontend of the framework, we primarily used javascript, and
in some instances, we used typescript and converted that
to javascript. For the backend, we adapted the express
framework i.e Express.js, as it is open-source and
supports multi-page and hybrid web applications. Since our
framework is a multi-page web application, we used the
express framework. Finally, to host the framework, we
used an application called netlify, which is, again, a free
cloud computing company that ofers a development
platform that includes build, deploy, and serverless backend
services for web applications and dynamic websites. Also,
netlify supports git integration, so if we set up the git
repository, whenever we push some changes in the git
repository, the changes get deployed automatically in
the web application because of the git integration
feature ofered by netlify.Also, since the backend service has
to be built as a top layer of a server, we used an
application called heuroko, which is a platform as a service
cloud provider that supports multiple programming
languages. So, we configured the server with a google API,
so whenever the framework analyzes a user and gives
a recommendation, the same is sent to the user’s email,
which the user enters initially at the basic information
page</p>
      <sec id="sec-2-1">
        <title>Previously, all the existing research was all about safe and recommended practices that would help the training</title>
        <p>Proposed Solution
The framework will account for the age factor. Based on
the age factor, the intensity of the cybersecurity training
program will be formulated. Like if the individual
undergoing training is younger, then the individual is expected
to be more cyber-aware than the other age groups, so
less intensive training. Also, the formulated intensity will
again be verified with the individual’s cyber-awareness.
If both matches, then the intensity of the personalized
cybersecurity training program will be less else vice versa.
The framework will account for the gender factor. As
the attackers might launch gender-specific attacks
targeting women’s self-eficacy, the cybersecurity training
program for women, in general, will have resources to
boost their morale and confidence. So, this ensures that
there is equal fairness for all genders in accessing
technologies.</p>
        <p>The framework will account for the motivation factor.
The cybersecurity training program will enforce
accountability, and relevancy and makes sure that everyone
understands the importance of cyber-awareness. Thereby,
instilling motivation.</p>
        <p>In the personalized cybersecurity training program
produced by our framework, there will be a testing
environment where people can demonstrate learned skills. As
this acts as reinforcement for their learning, at times of
necessity, people will know what action to take.
program to be successful. In our framework, the final
recommendations are adapted from the existing research
that are proven to positively afect training programs.
But the framework to analyze the issues associated with
human factors and cyber-awareness knowledge of each
user was designed by us entirely from scratch.</p>
      </sec>
    </sec>
    <sec id="sec-3">
      <title>5. Results</title>
      <sec id="sec-3-1">
        <title>Through our extensive research, we found that Generic</title>
        <p>
          cybersecurity training material hinders the success of a
cybersecurity training program (Adams 2018; Winkler
2016, cited in [
          <xref ref-type="bibr" rid="ref1">1</xref>
          ]). Human factors must be considered
while designing a cybersecurity training program. In
Table 1, we describe the human factors considered in our
framework and the associated findings. The proposed
solution will account for the human factors, recommended
practices, and the framework where we will identify the
weaker areas of an individual concerning cybersecurity.
        </p>
        <p>The recommended best practices for the associated
human factor will be generated and stored. This will be done
with the help of a few questions that collect information
about the human factors associated with the individual,
and based on that, the scores for the associated human
factor will be generated. As seen from the methodology,
if need be, recommended practices for the associated
human factor will be generated depending on the score.</p>
        <p>Also, the user will be entitled to answer questions in
the framework focusing on topics like cyber-hygiene,
phishing, password strength, malware, and physical
security. So, all the people undergoing training will have
to answer these questions, with which the individual’s
cyber-awareness will be measured with the help of the
scoring system we have designed. Through scores, the
framework will identify the weaker areas of the
individual, and the suggested training material will focus
more on the weaker areas, thereby avoiding suggesting
a generic cybersecurity training material which is one of
the significant challenges in having a successful training
program. So, with the help of this framework, it will be
possible to create a personalized cybersecurity training
program based on the needs of everyone. The workflow
of our framework from the start can be seen below:
1. Firstly, the user is prompted to give basic
information like user email, age, and gender, as seen
in Figure 2.
2. Secondly, the user will be taken to a second
screen, where the framework will collect
humanfactor information with the help of section-wise
questions on motivation, self-eficacy, and
emotion, as seen in Figure 3. The questions that we
use to test the factors mentioned above can be
found in the miscellaneous section.
3. After collecting the human factor information and
assessing them, the user will be taken to the
cyberawareness test, as seen in Figure 4, where they
will be entitled to answer topic-wise questions
relating to cybersecurity.
4. Finally with the help of the scoring system, we
display the recommended best practices to
improvise the associated human factor - only if we
analyze that there are issues specific to any of
these human factors: Motivation, Self-Eficacy,
and Emotion. Since, at this point, the end-user’s
knowledge is already tested, based on the
identiifed weaker areas, appropriate recommendations
along with the learning resource for each sec- Figure 3: Collecting human-factor information through the
tion are displayed in the final recommendations framework
page.Also, the final recommendations for each
user will be automatically sent to the user’s email
which they enter and a sample image of the
received email by the user can be seen in Figure
6.</p>
      </sec>
      <sec id="sec-3-2">
        <title>Let’s say the user takes the test and is identified with a</title>
        <p>low self-eficacy factor to demonstrate a scenario. Also,
in the cyber-awareness test, the user is assessed to be
weak in physical security, phishing, and ransomware
attacks. In this case, the final recommendations screen
will look like the one in the Figure 5.</p>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>6. Conclusion</title>
      <p>To provide efective cybersecurity training, this study generic, which will be resolved with our proposed
frameaccounts for the importance of human factors in cyber- work. As our framework considers various human factors
security. It is evident from the study that there is a need and identifies weak areas of each individual undergoing
for a successful cybersecurity training program and to the cybersecurity training, a personalized cybersecurity
have a positive outcome on the training program, this training material will be suggested focusing more on the
study also provides the best practices that will assist orga- individual’s weaker areas.
nizations in achieving successful cybersecurity training
programs. One of the most important issues of an
organization’s cybersecurity training was the training being</p>
    </sec>
    <sec id="sec-5">
      <title>7. Future Work</title>
      <sec id="sec-5-1">
        <title>As of now, the framework can identify the issues related</title>
        <p>to human factors associated with each user and identify
weaker areas of the individual regarding cybersecurity.
Based on that, we will recommend how to improve those
human factors and the weaker cybersecurity areas to
focus on. For now, as a recommendation to enhance
weaker cybersecurity topics, we put up a resource link for
the associated issues where the user can learn more about
the topic. This is done since, to suggest cybersecurity
training materials based on the knowledge of each user,
we need an extensive data set of cybersecurity training
materials. We are still collecting the training materials. In
the future, when we have enough datasets, the framework
will be able to suggest cybersecurity training materials
rather than putting up resource links.</p>
      </sec>
    </sec>
    <sec id="sec-6">
      <title>8. Miscellaneous</title>
      <p>In the framework, we have two sections where the user
has to go through a set of questions for the framework to
assess the user.The framework can be accessed through
this link: https://cyber-awareness.netlify.app/. The user
won’t be able to navigate to a diferent question without
answering the first question. The user will be navigated
to the next question automatically once the first question
is answered. Once the user answers all the questions
displayed under the framework, the user will be assessed
both for the issues associated with the human-factors
and cybersecurity awareness, and the respective
recommendations will be displayed in the end.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>W.</given-names>
            <surname>He</surname>
          </string-name>
          ,
          <string-name>
            <surname>Z. J. Zhang,</surname>
          </string-name>
          <article-title>Enterprise cybersecurity training and awareness programs: Recommendations for success</article-title>
          ,
          <source>Journal of organizational computing and electronic commerce 29</source>
          (
          <year>2019</year>
          )
          <fpage>249</fpage>
          -
          <lpage>257</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>M.</given-names>
            <surname>Anwar</surname>
          </string-name>
          ,
          <string-name>
            <given-names>W.</given-names>
            <surname>He</surname>
          </string-name>
          ,
          <string-name>
            <given-names>I.</given-names>
            <surname>Ash</surname>
          </string-name>
          ,
          <string-name>
            <given-names>X.</given-names>
            <surname>Yuan</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Xu</surname>
          </string-name>
          ,
          <article-title>Gender diference and employees' cybersecurity behaviors</article-title>
          ,
          <source>Computers in human behavior 69</source>
          (
          <year>2017</year>
          )
          <fpage>437</fpage>
          -
          <lpage>443</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>O.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Grundy</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Abdelrazek</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <article-title>A large scale analysis of mhealth app user reviews</article-title>
          ,
          <source>in: Empir Software Eng</source>
          <volume>27</volume>
          ,
          <issue>196</issue>
          (
          <year>2022</year>
          ),
          <year>2022</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>A.</given-names>
            <surname>Pollini</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T. C.</given-names>
            <surname>Callari</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Tedeschi</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Ruscio</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Save</surname>
          </string-name>
          ,
          <string-name>
            <given-names>F.</given-names>
            <surname>Chiarugi</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Guerri</surname>
          </string-name>
          ,
          <article-title>Leveraging human factors in cybersecurity: an integrated methodological approach</article-title>
          , Cognition,
          <source>technology work 24</source>
          (
          <year>2021</year>
          )
          <fpage>371</fpage>
          -
          <lpage>390</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>H.</given-names>
            <surname>Kam</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D. K.</given-names>
            <surname>Ormond</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.</given-names>
            <surname>Menard</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R. E.</given-names>
            <surname>Crossler</surname>
          </string-name>
          ,
          <article-title>That's interesting: An examination of interest theory and self-determination in organisational cybersecurity training</article-title>
          ,
          <source>Information systems journal (Oxford, England)</source>
          (
          <year>2021</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>S. M.</given-names>
            <surname>Debb</surname>
          </string-name>
          ,
          <article-title>Keeping the human in the loop: Awareness and recognition of cybersecurity within cyberpsychology, Cyberpsychology, behavior and social networking 24 (</article-title>
          <year>2021</year>
          )
          <fpage>581</fpage>
          -
          <lpage>583</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>L.</given-names>
            <surname>Knapova</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Kruzikova</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Dedkova</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Smahel</surname>
          </string-name>
          ,
          <article-title>Who is smart with their smartphones? determinants of smartphone security behavior, Cyberpsychology, behavior and social networking 24 (</article-title>
          <year>2021</year>
          )
          <fpage>584</fpage>
          -
          <lpage>592</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <surname>T. van Steen</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. R.</given-names>
            <surname>Deeleman</surname>
          </string-name>
          ,
          <article-title>Successful gamification of cybersecurity training, Cyberpsychology, behavior and social networking 24 (</article-title>
          <year>2021</year>
          )
          <fpage>593</fpage>
          -
          <lpage>598</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>S. M.</given-names>
            <surname>Debb</surname>
          </string-name>
          ,
          <string-name>
            <surname>M. K. McClellan</surname>
          </string-name>
          ,
          <article-title>Perceived vulnerability as a determinant of increased risk for cybersecurity risk behavior, Cyberpsychology, behavior and social networking 24 (</article-title>
          <year>2021</year>
          )
          <fpage>65</fpage>
          -
          <lpage>611</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>S.</given-names>
            <surname>Budimir</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. R.</given-names>
            <surname>Fontaine</surname>
          </string-name>
          ,
          <string-name>
            <given-names>E. B.</given-names>
            <surname>Roesch</surname>
          </string-name>
          ,
          <article-title>Emotional experiences of cybersecurity breach victims, Cyberpsychology, behavior and social networking 24 (</article-title>
          <year>2021</year>
          )
          <fpage>612</fpage>
          -
          <lpage>616</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <given-names>V.</given-names>
            <surname>Kisekka</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. S.</given-names>
            <surname>Giboney</surname>
          </string-name>
          ,
          <article-title>The efectiveness of health care information technologies: Evaluation of trust, security beliefs, and privacy as determinants of health care outcomes</article-title>
          ,
          <source>Journal of medical Internet research 20</source>
          (
          <year>2018</year>
          )
          <fpage>e107</fpage>
          -
          <lpage>e107</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [12]
          <string-name>
            <given-names>J. N.</given-names>
            <surname>Rocheleau</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H.</given-names>
            <surname>Chalghoumi</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Jutai</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Farrell</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Y.</given-names>
            <surname>Lachapelle</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Cobigo</surname>
          </string-name>
          ,
          <article-title>Caregivers' role in cybersecurity for aging information technology users with intellectual disabilities, Cyberpsychology, behavior and social networking 24 (</article-title>
          <year>2021</year>
          )
          <fpage>624</fpage>
          -
          <lpage>629</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [13]
          <string-name>
            <given-names>A.</given-names>
            <surname>Venables</surname>
          </string-name>
          ,
          <article-title>Modelling cyberspace to determine cybersecurity training requirements, Frontiers in education (Lausanne) 6 (</article-title>
          <year>2021</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [14]
          <string-name>
            <given-names>M.</given-names>
            <surname>Bada</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J. R.</given-names>
            <surname>Nurse</surname>
          </string-name>
          ,
          <article-title>Developing cybersecurity education and awareness programmes for smalland medium-sized enterprises (smes), Information</article-title>
          and computer security 27 (
          <year>2019</year>
          )
          <fpage>393</fpage>
          -
          <lpage>410</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          [15]
          <string-name>
            <given-names>R. J.</given-names>
            <surname>Deibert</surname>
          </string-name>
          ,
          <article-title>Toward a human-centric approach to cybersecurity</article-title>
          ,
          <source>Ethics international afairs 32</source>
          (
          <year>2018</year>
          )
          <fpage>411</fpage>
          -
          <lpage>424</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          [16]
          <string-name>
            <given-names>T.</given-names>
            <surname>Smith,</surname>
          </string-name>
          <article-title>The infodemic as a threat to cybersecurity, The international journal of intelligence, security, and public afairs 23 (</article-title>
          <year>2021</year>
          )
          <fpage>180</fpage>
          -
          <lpage>196</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          [17]
          <string-name>
            <given-names>F. L.</given-names>
            <surname>Greitzer</surname>
          </string-name>
          ,
          <string-name>
            <given-names>W.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>K. B.</given-names>
            <surname>Laskey</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Lee</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Purl</surname>
          </string-name>
          ,
          <article-title>Experimental investigation of technical and human factors related to phishing susceptibility</article-title>
          ,
          <source>ACM transactions on social computing 4</source>
          (
          <year>2021</year>
          )
          <fpage>1</fpage>
          -
          <lpage>48</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          [18]
          <string-name>
            <given-names>O.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <article-title>Better identifying and addressing diverse issues in mhealth and emerging apps using user reviews</article-title>
          ,
          <source>in: The International Conference on Evaluation and Assessment in Software Engineering</source>
          <year>2022</year>
          ,
          <year>2022</year>
          , pp.
          <fpage>329</fpage>
          -
          <lpage>335</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref19">
        <mixed-citation>
          [19]
          <string-name>
            <given-names>O.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Grundy</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Abdelrazek</surname>
          </string-name>
          , Covid
          <article-title>-19 vs social media apps: Does privacy really matter?</article-title>
          ,
          <source>in: 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS)</source>
          , IEEE,
          <year>2021</year>
          , pp.
          <fpage>48</fpage>
          -
          <lpage>57</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref20">
        <mixed-citation>
          [20]
          <string-name>
            <given-names>O.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Grundy</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Abdelrazek</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <article-title>Better addressing diverse accessibility issues in emerging apps: A case study using covid-19 apps</article-title>
          ,
          <source>in: 9th IEEE/ACM International Conference on Mobile Software Engineering and Systems</source>
          <year>2022</year>
          (MobileSoft
          <year>2022</year>
          ),
          <year>2022</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref21">
        <mixed-citation>
          [21]
          <string-name>
            <given-names>M.</given-names>
            <surname>Fazzini</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H.</given-names>
            <surname>Khalajzadeh</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Haggag</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Z.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>H.</given-names>
            <surname>Obie</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Arora</surname>
          </string-name>
          ,
          <string-name>
            <given-names>W.</given-names>
            <surname>Hussain</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Grundy</surname>
          </string-name>
          ,
          <article-title>Characterizing human aspects in reviews of covid-19 apps</article-title>
          ,
          <source>in: 9th IEEE/ACM International Conference on Mobile Software Engineering and Systems</source>
          <year>2022</year>
          (MobileSoft
          <year>2022</year>
          ),
          <year>2022</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref22">
        <mixed-citation>
          [22]
          <string-name>
            <given-names>P.</given-names>
            <surname>Kumaraguru</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Cranshaw</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Acquisti</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Cranor</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Hong</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Blair</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Pham</surname>
          </string-name>
          ,
          <article-title>School of phish: a real-world evaluation of anti-phishing training</article-title>
          ,
          <source>in: Proceedings of the 5th Symposium on usable privacy and security</source>
          ,
          <source>SOUPS '09</source>
          ,
          <string-name>
            <surname>ACM</surname>
          </string-name>
          ,
          <year>2009</year>
          , pp.
          <fpage>1</fpage>
          -
          <lpage>12</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref23">
        <mixed-citation>
          [23]
          <string-name>
            <given-names>E.</given-names>
            <surname>Kim</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Yoon</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Kwon</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Liaw</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A. M.</given-names>
            <surname>Agogino</surname>
          </string-name>
          ,
          <article-title>From innocent irene to parental patrick: Framing user characteristics and personas to design for cybersecurity</article-title>
          ,
          <source>in: Proceedings of the Design Society</source>
          , volume
          <volume>1</volume>
          , Cambridge University Press, Cambridge,
          <year>2019</year>
          , pp.
          <fpage>1773</fpage>
          -
          <lpage>1782</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref24">
        <mixed-citation>
          [24]
          <string-name>
            <given-names>A.</given-names>
            <surname>Baillon</surname>
          </string-name>
          , J. de Bruin,
          <string-name>
            <given-names>A.</given-names>
            <surname>Emirmahmutoglu</surname>
          </string-name>
          , E. van de Veer,
          <string-name>
            <surname>B. van Dijk</surname>
          </string-name>
          ,
          <article-title>Informing, simulating experience, or both: A field experiment on phishing risks</article-title>
          ,
          <source>PloS one 14</source>
          (
          <year>2019</year>
          )
          <fpage>e0224216</fpage>
          -
          <lpage>e0224216</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref25">
        <mixed-citation>
          [25]
          <string-name>
            <given-names>S.</given-names>
            <surname>Sheng</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Holbrook</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.</given-names>
            <surname>Kumaraguru</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Cranor</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Downs</surname>
          </string-name>
          ,
          <article-title>Who falls for phish?: a demographic analysis of phishing susceptibility and efectiveness of interventions, in: Proceedings of the SIGCHI Conference on human factors in computing systems</article-title>
          ,
          <source>CHI '10</source>
          ,
          <string-name>
            <surname>ACM</surname>
          </string-name>
          ,
          <year>2010</year>
          , pp.
          <fpage>373</fpage>
          -
          <lpage>382</lpage>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>