Cyber security training for critical infrastructure protection: A literature review

“…One of the main concerns of noncompliance of the personnel with the defined security policies for an organisation constitutes the main concern [12,18,21]. If employees do not fully comply with these policies, the efficacy of the relevant protection mechanisms is lost.…”

“…From the various compliance approaches, effective training is considered the most commonly proposed solution. Nevertheless, only a few of the existing studies evaluate the results of professional training in organisations and promote policies for compliance in the working environment [12,18]. The theory is rarely utilised to explain what factors are affecting users' compliance with security policies or even provide empirical evidence from their actual application.…”

“…Researches for security training ordinarily incorporate pedagogical principles as the primary methodology to enhance the user's compliance [18,20,21]. In 1998, Baldwin and Ford [22] defined the transfer of learning to the working environment as "the degree to which trainees effectively apply the knowledge, skills, and attitudes gained in the training context to the job".…”

“…A simplified illustration of the training transfer model is depicted in Figure 1. However, it is estimated that around 10-40% of all training experiences will be transferred to the workplace [7,17,18]. Moreover, as time passes from the completion of the training programme, employees usually becoming less motivated to retain the new operational behaviours (e.g., after one year).…”

“…Regarding cyber-security training, although there is an increasing demand for modern Cyber-Range platforms with advance technical features (e.g., emulation, simulation, serious gaming), the transfer of the learned skills and the adjustment of the organisation's operation has been completely overlooked in almost all cases [17][18][19].…”

CYRA: A Model-Driven CYber Range Assurance Platform

“…One of the main concerns of noncompliance of the personnel with the defined security policies for an organisation constitutes the main concern [12,18,21]. If employees do not fully comply with these policies, the efficacy of the relevant protection mechanisms is lost.…”

“…From the various compliance approaches, effective training is considered the most commonly proposed solution. Nevertheless, only a few of the existing studies evaluate the results of professional training in organisations and promote policies for compliance in the working environment [12,18]. The theory is rarely utilised to explain what factors are affecting users' compliance with security policies or even provide empirical evidence from their actual application.…”

“…Researches for security training ordinarily incorporate pedagogical principles as the primary methodology to enhance the user's compliance [18,20,21]. In 1998, Baldwin and Ford [22] defined the transfer of learning to the working environment as "the degree to which trainees effectively apply the knowledge, skills, and attitudes gained in the training context to the job".…”

“…A simplified illustration of the training transfer model is depicted in Figure 1. However, it is estimated that around 10-40% of all training experiences will be transferred to the workplace [7,17,18]. Moreover, as time passes from the completion of the training programme, employees usually becoming less motivated to retain the new operational behaviours (e.g., after one year).…”

“…Regarding cyber-security training, although there is an increasing demand for modern Cyber-Range platforms with advance technical features (e.g., emulation, simulation, serious gaming), the transfer of the learned skills and the adjustment of the organisation's operation has been completely overlooked in almost all cases [17][18][19].…”

CYRA: A Model-Driven CYber Range Assurance Platform

Infrastructure and Complex Systems Automation

Survey of Users’ Willingness to Adopt and Pay for Cybersecurity Training