Date of Award
Doctor of Philosophy in Computer Information Systems (DCIS)
College of Engineering and Computing
Steven R. Terrell
cybersecurity, cybersecurity skills, development research, information security, information security skills of non-IT professionals, risk mitigation tool
Completing activities online are a part of everyday life, both professionally and personally. But, conducting daily operations, interacting, and sharing information on the Internet does not come without its risks as well as a potential for harm. Substantial financial and information losses for individuals, organizations, and governments are reported regularly due to vulnerabilities as well as breaches caused by insiders. Although advances in Information Technology (IT) have been significant over the past several decades when it comes to protection of corporate information systems (IS), human errors and social engineering appear to prevail in circumventing such IT protections. While most employees may have the best of intentions, without cybersecurity skills they represent the weakest link in an organization’s IS security. Skills are defined as the combination of knowledge, experience, and ability to do something well. Cybersecurity skills correspond to the skills surrounding the hardware and software required to execute IS security to mitigate cyber-attacks. The main goal of this research study was to develop a scenarios-based, hands-on measure of non-IT professionals’ cybersecurity skills. As opposed to IT professionals, end-users are one of the weakest links in the cybersecurity chain, due to their limited cybersecurity skills. Historically, non-IT professionals (i.e., office assistants, managers, executives) have access to sensitive data and represent 72% to 95% of cybersecurity threats to organizations. This study addressed the problem of threats to organizational IS due to vulnerabilities and breaches caused by employees. Current measures of cybersecurity skills of non-IT professionals are based on self-reported surveys and were found inaccurate. Prior IS and medical research found participants view scenarios as nonintrusive and unintimidating. Therefore, this research study utilized scenarios with observable hands-on tasks to measure and quantify cybersecurity skills of non-IT professionals. This study included developmental research with a sequential-exploratory approach to combine qualitative and quantitative data collection. To ensure validity and reliability of the Cybersecurity Skills Index (CSI), a panel of 18 subject matter experts (SMEs) reviewed the CSI following the Delphi expert methodology. The SMEs’ responses were incorporated into the development of an iPad application (app) prototype (MyCyberSkills™). Following the iPad app prototype development, eight SMEs provided feedback on the scenarios, tasks, and scoring of the app using the Delphi technique. Furthermore, pilot testing of the app was conducted by manually collecting and scoring the hands-on task performance of a group of 21 non-IT professionals. The manually collected data were compared to the app computed results to ensure reliability and validity. All revisions were incorporated into the prototype prior to the start of the empirical research phase. Once the iPad app prototype was completed and fully tested, the quantitative research phase used the prototype to collect data and document the results of the measure. Participants from multiple public organizations were asked to complete the scenarios-based, hands-on tasks as presented in the prototype. Following the pre-analysis data screening, this study used a combination of descriptive statistics and one-way analysis of variance (ANOVA) to address the research questions. Results from 188 participants indicate that educational level and experience using technology appear to be significant demographic variables when it comes to the level of cybersecurity skills demonstrated by non-IT professionals. Moreover, job function, hours accessing the Internet, or primary online activity did not appear to be significant variables when it comes to the level of cybersecurity skills of this population. This research validated that the CSI benchmarking index could be used to assess an individual’s cybersecurity skills level. As organizations continue to rely on the Internet for conducting their daily operations, understanding an employee’s cybersecurity skills level is critical to securing an organization’s IS. Moreover, the CSI operationalized into the MyCyberSkills™ iPad app prototype can be used to assess an organization’s employee’s demonstrated skills on cybersecurity tasks. Furthermore, assessing the cybersecurity skills levels of employees could provide an organization insight into what is needed to further mitigate threats due to vulnerabilities and breaches caused by employees. Discussions and implications for future research are provided.
Melissa Carlton. 2016. Development of a Cybersecurity Skills Index: A Scenarios-Based, Hands-On Measure of Non-IT Professionals' Cybersecurity Skills. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, College of Engineering and Computing. (979)