Abstract
The ability of an organization to face threats and to overcome vulnerabilities in cybersecurity depends to a large extent on the level of training and awareness of its personnel and consequently on the existence of a competency framework that identifies the indicators in training awareness required for each job.
This article offers a systematic review of the literature to explore the use of competency models when developing training and awareness programs in cybersecurity aimed at non-technical personnel in organizations.
An examination of the literature shows that, although there is a high number of studies that address cybersecurity training and awareness, research related to competency models for non-specialized personnel is significantly scarce, methodologies have not evolved significantly, and the few skills models available incorporate job profiles in a limited way.
As a result, and with the aim to advance the knowledge in this particular field, this article presents a model based on competencies for non-ICT personnel which includes the configuration of training and awareness plans according to job profiles, thus incorporating into the general map of competencies of organizations the necessary cybersecurity competencies.
References
Aldawood, H. & Skinner, G. (2018). A Critical Appraisal of Contemporary Cyber Security Social Engineering Solutions: Measures, Policies, Tools and Applications. 26th International Conference on Systems Engineering (ICSEng) https://doi.org/10.1109/ICSENG.2018.8638166
Ali, R., Dominic, P., Ali, S., Rehman, M. & Sohail, A. (2021). Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance. Applied Sciences, 11(8), 3383. https://doi.org/10.3390/app11083383
Ani, U. D., He, H. & Tiwari, A. (2019). Human factor security: evaluating the cybersecurity capacity of the industrial workforce. Journal of Systems and Information Technology, 21(1), 2-35. https://www.doi.org/10.1108/JSIT-02-2018-0028
Bada, M. & Nurse, J. R. (2019). Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs). Information & Computer Security, 27(3), 393-410. https://www.doi.org/10.1108/ICS-07-2018-0080
Bailey, T., Kolo, B., Rajagopalan & K., Ware, D. Insider threat: The human element of cyberrisk. (2018). Technical Report. McKinsey. https://mck.co/2Yzb7YB
Brilingaitė, A., Bukauskas, L. & Juozapavičius, A. (2020). A framework for competence development and assessment in hybrid cybersecurity exercises. Computers & Security, (88). https://doi.org/10.1016/j.cose.2019.101607
Calder, A., (2016). Nueve pasos para el éxito: Una visión de conjunto para la aplicación de la ISO 27001:2013. IT Governance Publishing.
Carlton, M., Levy, Y. & Ramim, M. (2019). Mitigating cyber attacks through the measurement of non-IT professionals' cybersecurity skills. Information & Computer Security, 27(1), 101-121. https://doi.org/ 10.1108/ICS-11-2016-0088
CCN-CERT (2019). Ciberamenazas y Tendencias. Edición 2019. https://bit.ly/31WMmr8
CCN-CERT (2020). Ciberamenazas y Tendencias. Edición 2020. https://bit.ly/3BQnvlh
Eloff, J. & Eloff, M. (2005). Information security architecture. Computer Fraud & Security, (11), 10-16. https://doi.org/10.1016/S1361-3723(05)70275-X
ENISA (2018). Cybersecurity CultureGuidelines: Behavioural Aspects of Cybersecurity.
European Union Agency for Cybersecurity. https://bit.ly/3GLbVub
Haqaf, H. & Koyuncu, M. (2018). Understanding key skills for information security managers. International Journal of Information Management, 43, 165-172. https://doi.org/10.1016/j.ijinfomgt.2018.07.013
Hatzivasilis, G., Ioannidis, S., Smyrlis, M., Spanoudakis, G., Frati, F., Goeke, L., Hildebrandt, T., Tsakirakis, G., Oikonomou, F., Leftheriotis, G. & Koshutanski, H. (2020). Modern Aspects of Cyber-Security Training and Continuous Adaptation of Programmes to Trainees. Applied Sciences, 10(16), 5702. https://doi.org/10.3390/app10165702
Hiscox (2020). Hiscox cyberclaims report 2020. https://bit.ly/3oRm5Dw
IBM (2018). IBM X-Force Threat Intelligence Index 2018. IBM Security. https://ibm.co/3m3brYN
IC3. (2020). Internet Crime Report 2020. Technical Report. FBI. https://bit.ly/3tv3RbF
IDC. (2020). Global ICT Spending. Forecast 2020 - 2023. https://bit.ly/3tlrio0
Jacob, J., Wei, W., Sha, K., Davari, S. & Yang, A. (2018). Is the NICE cybersecurity workforce framework (NCWF) effective for a workforce comprised of interdisciplinary majors? Proceedings of the International Conference on Scientific Computing (CSC); Athens.
Khan, S., Wang, S. & Hodhod, R. (2019). viCyber: An Intelligent Curriculum Design Tool for Cybersecurity Education. Proceedings of the 50th ACM Technical Symposium on Computer Science Education. https://doi.org/ 10.1145/3287324.3293788
Kitchenham, B. (2004). Procedures for Performing Systematic Reviews. Technical Report. Keele University.
Lozano, M. (2017). 2017, el año en que las empresas se concienciaron en ciberseguridad. INCIBE. https://bit.ly/2VjkGK0
Maconachy, W., Schou, C., Ragsdale, D. & Welch, D. (2001). A Model for Information Assurance: An Integrated Approach. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. https://bit.ly/3GLexbQ
Malekos, Z. & Lostri, E. (2020). The Hidden Costs of Cybercrime. Technical Report. McAfee. https://bit.ly/3zYkcZ1
Mäses, S. (2020). Evaluating Cybersecurity-Related Competences through Simulation Exercises. Phd Thesis. Tallinn University of Technology.
Mayer-Schönberger, V. & Cukier, K. (2013). Big Data: A Revolution That Will Transform How We Live, Work and Think. John Murray Press.
Mendívil, J., Gutiérrez, M., & Sanz, B. (2021). Mapa Funcional de competencias en seguridad para el personal no TI de las universidades españolas. Investigación en Ciberseguridad. Jornadas Nacionales de Investigación en Ciberseguridad (34), 319-326. https://doi.org/10.18239/jornadas_2021.34.64
Muñoz, S., (2021) Everis revela que el ciberataque de finales de 2019 le costó 15 millones de euros. El País. https://bit.ly/2YCuShV.
Nilsen, R. (2017). Measuring Cybersecurity Competency: An Exploratory Investigation of the Cybersecurity Knowledge, Skills, and Abilities Necessary for Organizational Network Access Privileges. Phd Thesis. https://bit.ly/3yjtG0I
ONTSI. Informe Anual del sector de las TIC, los medios y los servicios audiovisuales 2020. Observatorio Nacional de las Telecomunicaciones y de la Sociedad de la Información. https://bit.ly/3uZBX8k
Rahim, N., Hamid, S., Kiah, M., Shamshirband, S. & Furnell, S. (2015). A systematic review of approaches to assessing cybersecurity awareness, 44(4), 606-622. https://doi.org/10.1108/K-12-2014-0283
Remmele, B. & Peichl, J. (2021). Structuring a Cybersecurity Curriculum for Non-IT Employees of Micro- and Small Enterprises. The 16th International Conference on Availability, Reliability and Security, 159, 1-7. https://doi.org/10.1145/3465481.3469198
Saltzer, J. H. & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Fourth ACM Symposium on Operating System Principles, 63(9), 1278-1308. https://doi.org/10.1109/PROC.1975.9939
Sanchez-Vallejo, M.A. (2021). Uno de los mayores oleoductos de Estados Unidos suspende sus operaciones tras sufrir un ciberataque. El País. https://bit.ly/3Dxz29Y
Sithole, T., du Toit, J., Jaquire, V. & von Solms, S. (2020). A framework for a foundational cyber counterintelligence awareness and skills training programme. Proceedings of the 19th European Conference on Cyber Warfare. 510-517. https://doi.org/10.34190/EWS.20.036
Schwab, K., (2016). La cuarta revolución industrial. Editorial Debate.
Trim, P., & Lee, Y. (2021). The Global Cyber Security Model: Counteracting Cyber Attacks through a Resilient Partnership Arrangement. Big Data and Cognitive Computing, 5(3), 32. https://doi.org/10.3390/bdcc5030032
Ulven, J., & Wangen, G. (2021). A Systematic Review of Cybersecurity Risks in Higher Education. Future Internet, 13(2), 39. https://doi.org/10.3390/fi13020039
Vicente de, J.J., Mallouli, W., Ruiz, J.F. & van Haastrecht, M. (2021). GEIGER: Solution for small businesses to protect themselves against cyber-threats. The 16th International Conference on Availability, Reliability and Security, 157, 1-4.
Wang, Y., Qi, B., Zou, H. & Li, J. (2018). Framework of Raising Cyber Security Awareness. 18th International Conference on Communication Technology (ICCT). 865-869. https://doi.org/10.1109/ICCT.2018.8599967
WEF. (2021). The Global Risks Report 2021. World Economic Forum. Technical Report. https://bit.ly/3tuGe3c
Zhang-Kennedy, L. & Chiasson, S. (2021) A Systematic Review of Multimedia Tools for CybersecurityAwareness and Education. Association for Computing Machinery, 54(1). https://doi.org/10.1145/3427920
![Creative Commons License](http://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png)
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Copyright (c) 2022 Pixel-Bit. Media and Education Journal