The Employee Cybersecurity Awareness Framework

Abstract

With cyberattack methods becoming increasingly sophisticated and end-users of targeted technology continuing to be the weakest link, it is crucial to develop more optimal ways to measure and better understand human cybersecurity behaviour risk. Across three studies, a tool consisting of a battery of established questionnaires and other measures to investigate employee cybersecurity vulnerability factors was tested and developed. Study 1 determined key correlating factors including security–self-efficacy, experience and involvement, awareness and organisational policy, with large effect sizes. A refined tool was deployed in Study 2 amongst a larger sample of employees within a multinational organisation. Exploratory factor analysis determined two latent factors—cybersecurity awareness and psychological ownership. However, 55% of variance within a regression model was explained by cybersecurity awareness alone. Study 3 included an even larger sample employed by multiple organisations—with cybersecurity awareness accounting for 60% of variance. We propose the employee cybersecurity awareness framework (ECAF) with cybersecurity awareness at its core and containing six underlying factors: threat appraisal, information security self-efficacy, information security awareness, information security attitude, information security operation policy and cybersecurity experience and involvement. The ECAF can be deployed by organisations to optimally measure employee cybersecurity risk factors and determine optimal interventions tailored to risk profiles.