Need/background: Cyber-security threats are causing substantial financial losses for individuals, organizations, and governments. Computer users' mistakes, due to poor cyber-security skills, represent about 50% to 75% of cyber-security threats to organizations.
Rationale: As opposed to IT professionals, computer end-users are one of the weakest links in the cyber-security chain, due to their limited cyber-security skills. Skills are defined as the combination of knowledge, experience, and ability to do something well. Cyber-security skills are the skills one possess to prevent damage to computer systems via the Internet. However, the current measures of end-user cyber-security skills are based on self-reported surveys. This proposal will address this challenge by developing a scenario-based iPad application to measure cyber-security skills based on actual scenarios that the participants complete in demonstrating their skills.
Methodology: To design a measure that has both high validity and reliability, this research will include mixed-methods (qualitative & quantitative) with the development of the iPad application (app) to measure the cyber-security skills. The qualitative phase will include an expert panel feedback on the set of skills that are critical for end-users' scenario-based cyber-security skills index (CSSI) from skills found in literature and those developed by the PI. These skills will be mapped into scenarios with four-activities, each testing the participant's skill level. The app will capture the quantitative score for each skill level demonstrated using a group of 200 NSU employees/participants, along with anonymous demographic data.
Data-analysis: The qualitative expert panel data will be recorded and categorized into similar groups of comments for improvements. The quantitative data from the CSSI-App will be analyzed using Factor Analysis, reliability analysis, and reports will be produced.
Significance: Development of a scenario-based tool to measure cyber-security skills can help organizations identify those groups of individuals that may need additional training in order to reduce cyber-security threats.