Khám Phá Chiến Lược Nâng Cao Nhận Thức và Đào Tạo An Ninh Mạng

Chuyên khảo phân tích Exploring cybersecurity awareness and training strategies to prot, đánh giá các khía cạnh quan trọng, đề xuất hướng nghiên cứu tiếp theo.

Trường đại học

Walden University

Chuyên ngành

Information Technology

Người đăng

Ẩn danh

Thể loại

Doctoral Study

2020

195
2
0

Phí lưu trữ

45 Point

Mục lục chi tiết

DEDICATION

ACKNOWLEDGEMENTS

1. SECTION 1: FOUNDATION OF THE STUDY

1.1. Background of the Problem

1.2. Nature of the Study

1.3. Interview/Survey Questions

1.4. Assumptions, Limitations, and Delimitations

1.5. Significance of the Study

1.6. Contribution to Information Technology Practice

1.7. Implications for Social Change

1.8. A Review of the Professional and Academic Literature

1.8.1. Social Cognitive Theory

1.8.2. Components and Modes of Human Agency

1.8.3. Triadic Reciprocal Determinism Model and Constructs

1.8.4. Contrasting and Similar Theories

1.8.5. Cybersecurity Awareness and Training

1.8.6. Human Factor in Cybersecurity

1.8.7. Security Education, Training, and Awareness Research

1.9. Transition and Summary

2. SECTION 2: THE PROJECT

2.1. Role of the Researcher

2.2. Research Method and Design

2.3. Population and Sampling

2.4. Data Collection Technique

2.5. Data Organization Techniques

2.6. Data Analysis Technique

2.7. Reliability and Validity

2.8. Transition and Summary

3. SECTION 3: APPLICATION TO PROFESSIONAL PRACTICE AND IMPLICATIONS FOR CHANGE

3.1. Overview of Study

3.2. Presentation of the Findings

3.2.1. Theme 1: Consistent, Persistent and Relevant Training and Awareness

3.2.2. Theme 2: Awareness and Training Based Off Threats, Risks and Vulnerabilities

3.2.3. Theme 3: Consequences and Disclosed Expectations

3.3. Applications to Professional Practice

3.4. Implications for Social Change

3.5. Recommendations for Action

3.6. Recommendations for Further Study

3.7. Summary and Study Conclusions

APPENDIX A: INTERVIEW PROTOCOL

APPENDIX B: INTERVIEW QUESTIONS

APPENDIX C: LETTER OF INVITATION

APPENDIX D: INFORMED CONSENT FORM

LIST OF TABLES

Tóm tắt

I. Tổng quan về chiến lược nâng cao nhận thức an ninh mạng

Chiến lược nâng cao nhận thức và đào tạo an ninh mạng là một phần quan trọng trong việc bảo vệ thông tin và hệ thống dữ liệu của tổ chức. Việc hiểu rõ về các mối đe dọa và rủi ro liên quan đến an ninh mạng giúp nhân viên có thể thực hiện các biện pháp phòng ngừa hiệu quả. Theo nghiên cứu, 58% nhân viên không biết cách bảo vệ tổ chức khỏi các hoạt động độc hại, cho thấy sự cần thiết của các chương trình giáo dục và đào tạo an ninh mạng.

1.1. Định nghĩa và tầm quan trọng của an ninh mạng

An ninh mạng đề cập đến các biện pháp bảo vệ thông tin và hệ thống khỏi các mối đe dọa. Việc nâng cao nhận thức về an ninh mạng giúp tổ chức giảm thiểu rủi ro và bảo vệ dữ liệu nhạy cảm.

1.2. Các yếu tố ảnh hưởng đến nhận thức an ninh mạng

Nhận thức an ninh mạng bị ảnh hưởng bởi nhiều yếu tố như văn hóa tổ chức, chính sách bảo mật và mức độ đào tạo của nhân viên. Các yếu tố này cần được xem xét để xây dựng một chương trình đào tạo hiệu quả.

II. Vấn đề và thách thức trong đào tạo an ninh mạng

Một trong những thách thức lớn nhất trong việc đào tạo an ninh mạng là sự thiếu hụt kiến thức và kỹ năng của nhân viên. Nhiều nhân viên không nhận thức được các mối đe dọa hiện tại và cách thức bảo vệ thông tin. Điều này dẫn đến việc tổ chức dễ bị tấn công và mất mát dữ liệu.

2.1. Thiếu hụt kiến thức về an ninh mạng

Nhiều nhân viên không được đào tạo đầy đủ về các mối đe dọa an ninh mạng, dẫn đến việc họ không biết cách phản ứng khi gặp sự cố.

2.2. Khó khăn trong việc duy trì sự chú ý của nhân viên

Việc duy trì sự chú ý và cam kết của nhân viên trong các chương trình đào tạo an ninh mạng là một thách thức lớn. Nhiều nhân viên có thể cảm thấy chán nản với các khóa học dài và không thực tế.

III. Phương pháp hiệu quả trong đào tạo an ninh mạng

Để nâng cao hiệu quả của các chương trình đào tạo an ninh mạng, tổ chức cần áp dụng các phương pháp đa dạng và sáng tạo. Việc sử dụng các tình huống thực tế và mô phỏng có thể giúp nhân viên hiểu rõ hơn về các mối đe dọa và cách phòng ngừa.

3.1. Sử dụng mô phỏng và tình huống thực tế

Mô phỏng các tình huống tấn công an ninh mạng giúp nhân viên thực hành và chuẩn bị tốt hơn cho các tình huống thực tế.

3.2. Đào tạo liên tục và cập nhật thông tin

Đào tạo an ninh mạng cần được thực hiện thường xuyên và cập nhật để phản ánh các mối đe dọa mới nhất. Điều này giúp nhân viên luôn sẵn sàng đối phó với các tình huống khẩn cấp.

IV. Ứng dụng thực tiễn và kết quả nghiên cứu về an ninh mạng

Nghiên cứu cho thấy rằng các chương trình đào tạo an ninh mạng hiệu quả có thể giảm thiểu rủi ro và bảo vệ thông tin tổ chức. Các tổ chức đã áp dụng các chiến lược đào tạo này đã ghi nhận sự cải thiện rõ rệt trong nhận thức và hành vi của nhân viên.

4.1. Kết quả từ các tổ chức đã áp dụng

Nhiều tổ chức đã báo cáo giảm thiểu sự cố an ninh mạng sau khi triển khai các chương trình đào tạo an ninh mạng hiệu quả.

4.2. Tác động tích cực đến văn hóa tổ chức

Việc nâng cao nhận thức về an ninh mạng không chỉ bảo vệ thông tin mà còn tạo ra một văn hóa tổ chức tích cực hơn về bảo mật thông tin.

V. Kết luận và tương lai của chiến lược an ninh mạng

Chiến lược nâng cao nhận thức và đào tạo an ninh mạng sẽ tiếp tục đóng vai trò quan trọng trong việc bảo vệ thông tin và hệ thống dữ liệu. Tương lai của an ninh mạng sẽ phụ thuộc vào khả năng tổ chức trong việc thích ứng với các mối đe dọa mới và cải thiện chương trình đào tạo.

5.1. Tầm quan trọng của việc cải tiến liên tục

Cải tiến liên tục trong các chương trình đào tạo an ninh mạng là cần thiết để đối phó với các mối đe dọa đang thay đổi.

5.2. Hướng đi mới trong đào tạo an ninh mạng

Các công nghệ mới như trí tuệ nhân tạo và học máy có thể được áp dụng để nâng cao hiệu quả của các chương trình đào tạo an ninh mạng.

25/07/2025

Trích đoạn nội dung tài liệu

Walden University ScholarWorks Walden Dissertations and Doctoral Studies Walden Dissertations and Doctoral Studies Collection 2020 Exploring Cybersecurity Awareness and Training Strategies To Protect Information Systems and Data Michael Hanna Walden University Follow this and additional works at: https://scholarworks.edu/dissertations Part of the Databases and Information Systems Commons, and the Social Psychology Commons This Dissertation is brought to you for free and open access by the Walden Dissertations and Doctoral Studies Collection at ScholarWorks. It has been accepted for inclusion in Walden Dissertations and Doctoral Studies by an authorized administrator of ScholarWorks. For more information, please contact ScholarWorks@waldenu. Walden University College of Management and Technology This is to certify that the doctoral study by Michael Hanna has been found to be complete and satisfactory in all respects, and that any and all revisions required by the review committee have been made.

Review Committee Dr. Bob Duhainy, Committee Chairperson, Information Technology Faculty Dr. Constance Blanson, Committee Member, Information Technology Faculty Dr. Gary Griffith, University Reviewer, Information Technology Faculty Chief Academic Officer and Provost Sue Subocz, Ph.

Walden University 2020 Abstract Exploring Cybersecurity Awareness and Training Strategies To Protect Information Systems and Data by Michael Mohsen Hanna MS, Walden University, 2019 MS, University of Calgary, 2011 BS, University of Calgary, 2005 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University June 2020 Abstract Ineffective security education, training, and awareness (SETA) programs contribute to compromises of organizational information systems and data. Inappropriate actions from users due to ineffective SETA programs may result in legal consequences, fines, reputational damage, adverse impacts on national security, and criminal acts. Grounded in social cognitive theory, the purpose of this qualitative multiple case study was to explore strategies hospitality organizational information technology (IT) leaders utilized to implement SETA successfully. The participants were organizational IT leaders from four organizations in Hampton Roads, Virginia.

Data collection was performed using telephone and video teleconference interviews with organizational IT leaders (n = 6) as well as secondary data analysis of documents related to SETA programs (n = 31). Thematic analysis was used to analyze and code the data, which resulted in three themes. Consistent, persistent, and relevant awareness and training was the first theme to emerge. Awareness and training based on threats, vulnerabilities, and risks was the second theme to emerge.

Disclosing expectations and taking appropriate actions towards employees based on behavior was the third theme to emerge. A recommendation is that SETA should be performed regularly throughout the year while using employee rewards and punishments to promote desired behavior. The findings of this study may promote positive social change by providing information to IT leaders to develop SETA programs and reduce security risks within organizations across various industries. Improved SETA may contribute to improved cyber practices at home and better protect family members.

Exploring Cybersecurity Awareness and Training Strategies To Protect Information Systems and Data by Michael Mohsen Hanna MS, Walden University, 2019 MS, University of Calgary, 2011 BS, University of Calgary, 2005 Doctoral Study Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Information Technology Walden University June 2020 Dedication I dedicate this study to my father, Moe, my mother, Nana, and my son, Matthew. First, to my father, who passed away two years before completing this study. He was a PhD in Chemical Engineering and always emphasized the importance of education. He always had an analogy for everything, and many of them related to education.

When I completed my bachelor’s degree, he once joked with me and said he would be impressed when I finished a doctorate degree. I know he was always proud of me, but this accomplishment means so much to me. He taught me the meaning of preserving through the greatest of challenges and the importance of education. I will never forget you, and I will always love you dad.

To my mother, she always taught me the importance of realizing there is more to life than just work and school. She was the other half to my development, and I would not be the man I am today without her. Last, I would like to dedicate this to my one-year-old son. Even though my son cannot read yet, I want him to understand the importance of pushing through the challenges life presents us with.

Matthew, I promise you that I will always be there for you. Acknowledgements I could not have made it to this point of my academic and professional life without my incredible wife, Ryann. My wife and I have gone through the challenges of deployment, building a life together with our son, and completing doctoral programs together. We have both sacrificed so much to get to this point, and I couldn’t have done this without you.

Your love, coaching, and support have meant so much to me from the moment we met. Once again, to my son, Matthew. Just watching you grow up and develop throughout the early stages of your life, you have really shown me what is important in life. I hope the example I try to make and the value I place on education, grit and resiliency are concepts my son takes with him throughout his life.

My ability to persevere came from my parents, and I am so thankful that they have had my back my entire life. I must also thank my doctoral committee for the support and guidance they have provided me. Thank you Dr. Blanson, and Dr.

This has been one of the most significant journeys of my life and it would have not been possible without my doctoral program committee. Table of Contents List of Tables .v Section 1: Foundation of the Study.1 Background of the Problem .2 Nature of the Study .5 Interview/Survey Questions .7 Assumptions, Limitations, and Delimitations. 9 Significance of the Study .10 Contribution to Information Technology Practice. 10 Implications for Social Change.

10 A Review of the Professional and Academic Literature .11 Social Cognitive Theory. 13 Components and Modes of Human Agency. 16 Triadic Reciprocal Determinism Model and Constructs. 20 i Contrasting and Similar Theories.

30 Cybersecurity Awareness and Training. 34 Human Factor in Cybersecurity. 41 Security Education, Training, and Awareness Research. 48 Transition and Summary .49 Section 2: The Project .52 Role of the Researcher .56 Research Method and Design.

63 Population and Sampling. 75 Data Collection Technique. 79 Data Organization Techniques. 81 Data Analysis Technique .83 Reliability and Validity.

90 Transition and Summary .90 Section 3: Application to Professional Practice and Implications for Change .92 Overview of Study .92 Presentation of the Findings.92 Theme 1: Consistent, Persistent and Relevant Training and Awareness. 93 Theme 2: Awareness and Training Based Off Threats, Risks and Vulnerabilities. 99 Theme 3: Consequences and Disclosed Expectations. 105 Applications to Professional Practice .112 Implications for Social Change .116 Recommendations for Action .118 Recommendations for Further Study .122 Summary and Study Conclusions .123 Appendix A: Interview Protocol .174 Appendix B: Interview Questions .177 Appendix C: Letter of Invitation.178 iii Appendix D: Informed Consent Form .180 iv List of Tables Table 1.

Frequency of First Major Theme in Participant Responses and Documentation……………………………………………………………………. Frequency of Second Major Theme in Participant Responses and Documentation……………………………………………………………. Frequency of Third Major Theme in Participant Responses and Documentation……………………………………………………………………108 v 1 Section 1: Foundation of the Study In this section, I will present the background of the problem, problem statement, purpose statement, and nature of the study. I will delineate the assumptions, limitations, and delimitations of the study.

Also, I will present the research question, conceptual framework, and significance of the study. Background of the Problem Organizations utilize a combination of technical and nontechnical security measures to protect information systems and data through a multilayered, defense-in- depth strategy (Conteh & Schmick, 2016). According to Conteh and Schmick (2016), a defense-in-depth strategy consists of security policies, network guidance, audits and compliance, technical solutions, physical security, and security education, training, and awareness (SETA). The weakest layer in an organization’s defense-in-depth strategy is related to the user’s unawareness of cybersecurity best practices, cybersecurity threats, and vulnerabilities (de Bruijn & Janssen, 2017).

The purpose of cybersecurity awareness and training programs are to ultimately protect an organization from the harm posed by cybersecurity vulnerabilities, threats, and attacks by improving employee education, training, and awareness (Beuran et al. The need for better cybersecurity awareness and training strategies are demonstrated by 58% of employees not knowing how to protect an organization from malicious activity, and 98% incorrectly believing security responsibilities are delegated to the system administrators (Hadlington, 2017). Effective SETA strategies are needed to protect users and organizational information systems and data. 2 Problem Statement Humans are the weakest layer in an organization’s cybersecurity program, and their unawareness contributes to an organization’s vulnerabilities (de Bruijn & Janssen, 2017).

The need for better cybersecurity awareness and training strategies are demonstrated by 58% of employees not knowing how to protect an organization from malicious activity, and 98% incorrectly believing security responsibilities are delegated to the system administrators (Hadlington, 2017). The general information technology (IT) problem is that ineffective employee cybersecurity awareness and training programs contribute to compromises of organizational information systems and data. The specific IT problem is that some corporate hospitality IT leaders lack strategies to implement cybersecurity awareness and training programs to protect organizational information systems and data. Purpose Statement The purpose of this qualitative exploratory multiple case study was to explore strategies used by corporate hospitality IT leaders to implement cybersecurity awareness and training programs to protect organizational information systems and data.

The population consisted of corporate hospitality IT leaders including the chief executive officer (CEO), chief operating officer (COO), general managers, chief information officer (CIO), chief information security officer (CISO), and IT directors in Hampton Roads, Virginia, who have implemented cybersecurity awareness and training strategies within their organization. Implications for positive social change include the potential improvement to awareness and training programs that contribute to better cybersecurity 3 practices, which may protect national security, guard critical infrastructure, and prevent disclosure of sensitive information due to compromise that may harm citizens. The improvement of cybersecurity awareness and training also has the potential of protecting these same employees and their families, including children at home, as a result of effective education. The lessons learned at work through awareness and training programs can be retaught at home, which may protect families from crime and nefarious intent.

There is also the potential to contribute new knowledge and insights that may lead to discovery, such as new strategies and tactical level implementations that may protect organizations from damaging events and ultimately improve the cybersecurity culture at a macrolevel. Nature of the Study My intent in this qualitative exploratory multiple case study was to explore organizational cybersecurity awareness and training strategies used to educate employees on practices to protect organizational information systems and data. Multiple case studies enable researchers to acquire a deeper understanding of a phenomenon (Zach, 2006). My intent in this study was to provide depth in understanding the strategies of cybersecurity awareness and training used to educate employees on practices to protect organizational information systems and data.

A qualitative research method was suitable for this study because I focused on multiple organizations and their successful implementation of cybersecurity awareness and training programs. Qualitative research promotes the generation of detailed and rich responses to intricate subjects (Cope, 2014). Therefore, I decided not to collect numerical data to evaluate my research questions, which is 4 explicitly required in a quantitative study. A quantitative study is appropriate when numerical data is used to describe a phenomenon (Carr, 1994).

Mixed methods research encompasses the incorporation of qualitative and quantitative methods and should only be utilized if the combination of methods better explains the research question than a single approach alone (Halcomb, 2019). Because I intended to explore this phenomenon and not describe it with numerical data, quantitative research was not appropriate for this study.

Nội dung được bảo vệ bản quyền — Tải xuống đầy đủ