Concienciación y cultura de seguridad de la información: evaluación de programas y métodos de impacto

Jack David García Alayo; Israel Joel Múñoz Rodríguez; Alberto Carlos Mendoza de los Santos

doi:10.37431/conectividad.v7i1.382

Autores/as

Jack David García Alayo Universidad Nacional de Trujillo https://orcid.org/0009-0005-3038-242X
Israel Joel Múñoz Rodríguez Universidad Nacional de Trujillo https://orcid.org/0009-0002-9187-1030
Alberto Carlos Mendoza de los Santos Universidad Nacional de Trujillo https://orcid.org/0000-0002-0469-915X

DOI:

https://doi.org/10.37431/conectividad.v7i1.382

Palabras clave:

Seguridad de la información, Métricas de impacto, Evaluación de programas, Capacitación, Organización

Resumen

Los programas de concienciación en seguridad de la información son iniciativas formativas que combinan conocimiento teórico y prácticas simuladas para reforzar la cultura de seguridad de información dentro de las organizaciones. En el presente trabajo se realizó una revisión sistemática con el objetivo de examinar las metodologías y métricas empleadas para evaluar su eficacia e impacto en la conducta de los usuarios y la disminución de incidentes. Se analizaron 30 artículos académicos publicados entre 2020 y 2025, extraídos de bases de datos como ScienceDirect, Scielo y Google Académico. El estudio hecho nos permitió entender que la efectividad de los programas de concienciación y cultura de seguridad en las organizaciones depende de una combinación de estrategias para que se pueda garantizar cambios conductuales sostenibles, demostrar la reducción de riesgos y el retorno de inversión de las iniciativas de seguridad. Cabe mencionar que futuros estudios deben someter las escalas existentes a estudios de validez cruzada en contextos latinoamericanos y sectores críticos, usando gamificación, simulaciones y microlearning con IA. Por último se recomienda que las organizaciones interesadas en implementar las métricas mencionadas adopten inicialmente cuatro indicadores de evaluación continua (impacto, sostenibilidad, accesibilidad y monitorización).

Citas

Arellano, F. J. G., Barraza, Í. D., Bustos, A. F., Soto, C. P., Fonseca, V. F., & Martínez-Peláez, R. (2024). Examining cybersecurity culture in Leon city organizations: Insights from 2022. Ingeniare. Revista Chilena de Ingeniería, 32(1). https://doi.org/10.4067/s0718-33052024000100211 DOI: https://doi.org/10.4067/S0718-33052024000100211

Baltuttis, D., Teubner, T., & Adam, M. T. (2024). A typology of cybersecurity behavior among knowledge workers. Computers & Security, 140, 103741. https://doi.org/10.1016/j.cose.2024.103741 DOI: https://doi.org/10.1016/j.cose.2024.103741

Beltrán, A. J. L. (2022). Programa de concientización en seguridad de información para pequeñas empresas en la ciudad de Puyo. [Tesis de maestría, Pontificia Universidad Católica del Ecuador]. Repositorio PUCE. https://repositorio.puce.edu.ec/items/d257e331-1e2c-4155-8514-f5e7403dac69

Beltrán Muñoz, A. (2023). Análisis de la educación en ciberseguridad: Situación actual, estrategias y retos [Tesis doctoral, Universidad de Granada]. Digibug. https://digibug.ugr.es/handle/10481/92804

Bitrián, P., Buil, I., Catalán, S., & Merli, D. (2024). Gamification in workforce training: Improving employees’ self-efficacy and information security and data protection behaviours. Journal Of Business Research, 179, 114685. https://doi.org/10.1016/j.jbusres.2024.114685 DOI: https://doi.org/10.1016/j.jbusres.2024.114685

Chaudhary, S., Gkioulos, V., & Katsikas, S. (2022). Developing metrics to assess the effectiveness of cybersecurity awareness program. Journal of Cybersecurity, 8(1). https://doi.org/10.1093/cybsec/tyac006 DOI: https://doi.org/10.1093/cybsec/tyac006

Diesch, R., Pfaff, M., & Krcmar, H. (2020). A comprehensive model of information security factors for decision-makers. Computers & Security, 92, 101747. https://doi.org/10.1016/j.cose.2020.101747 DOI: https://doi.org/10.1016/j.cose.2020.101747

Fertig, T., Schütz, A. E., Weber, K. (2020). Current issues of Metrics for Information Security Awareness. In Proceedings of the Twenty-Eighth European Conference on Information Systems (ECIS 2020) (pp. 1–3). Association for Information Systems. https://www.researchgate.net/publication/342803603

Furman, S., Haney. J., Jacobs, J. (2023, 15 septiembre). Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Mixed-Methods Study (Short Paper). NIST. https://www.nist.gov/publications/measuring-effectiveness-us-government-security-awareness-programs-mixed-methods-study

Garba, A. A., Siraj, M. M., & Othman, S. (2024). Holistic Systematic Review on Methodologies of Assessing Effectiveness Cybersecurity Awareness Program. Research Square. https://doi.org/10.21203/rs.3.rs-4329496/v1 DOI: https://doi.org/10.21203/rs.3.rs-4329496/v1

Gerst, M., Kappe, M., Härting, R., & Karg, C. (2024). Determinants of the successful Establishment of a Cyber Security Culture in SMEs. Procedia Computer Science, 246, 510–518. https://doi.org/10.1016/j.procs.2024.09.431 DOI: https://doi.org/10.1016/j.procs.2024.09.431

Grassegger, T., & Nedbal, D. (2021). The Role of Employees’ Information Security Awareness on the Intention to Resist Social Engineering. Procedia Computer Science, 181, 59-66. https://doi.org/10.1016/j.procs.2021.01.103 DOI: https://doi.org/10.1016/j.procs.2021.01.103

Hillman, D., Harel, Y., & Toch, E. (2023). Evaluating organizational phishing awareness training on an enterprise scale. Computers & Security, 132, 103364. https://doi.org/10.1016/j.cose.2023.103364 DOI: https://doi.org/10.1016/j.cose.2023.103364

Jayatilaka, A., Beu, N., Baetu, I., Zahedi, M., Babar, M. A., Hartley, L., & Lewinsmith, W. (2021, 12 diciembre). Evaluation of Security Training and Awareness Programs: Review of Current Practices and Guideline. [Preprint]. arXiv. https://arxiv.org/abs/2112.06356

Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106, 102267. https://doi.org/10.1016/j.cose.2021.102267 DOI: https://doi.org/10.1016/j.cose.2021.102267

Mirtsch, M., Blind, K., Koch, C., & Dudek, G. (2021). Information security management in ICT and non-ICT sector companies: A preventive innovation perspective. Computers & Security, 109, 102383. https://doi.org/10.1016/j.cose.2021.102383 DOI: https://doi.org/10.1016/j.cose.2021.102383

Nwankpa, J. K., & Datta, P. M. (2023). Remote vigilance: The roles of cyber awareness and cybersecurity policies among remote workers. Computers & Security, 130, 103266. https://doi.org/10.1016/j.cose.2023.103266 DOI: https://doi.org/10.1016/j.cose.2023.103266

Nzeakor, O. F., Nwokeoma, B. N., Hassan, I., Ajah, B. O., & Okpa, J. T. (2022). Emerging Trends in Cybercrime Awareness in Nigeria. International Journal Of Cybersecurity Intelligence And Cybercrime, 5(3), 41-67. https://doi.org/10.52306/2578-3289.1098 DOI: https://doi.org/10.52306/2578-3289.1098

Onduto, B. (2021). Gamification of cyber security awareness – A systematic literature review. [Master’s Thesis, University of Turku]. UTUPub. https://www.utupub.fi/handle/10024/152929

Orehek, Š., & Petrič, G. (2020). A systematic review of scales for measuring information security culture. Information And Computer Security, 29(1), 133-158. https://doi.org/10.1108/ics-12-2019-0140 DOI: https://doi.org/10.1108/ICS-12-2019-0140

Prümmer, J., Van Steen, T., & Van Den Berg, B. (2023). A systematic review of current cybersecurity training methods. Computers & Security, 136, 103585. https://doi.org/10.1016/j.cose.2023.103585 DOI: https://doi.org/10.1016/j.cose.2023.103585

Rohan, R., Pal, D., Hautamäki, J., Funilkul, S., Chutimaskul, W., & Thapliyal, H. (2023). A systematic literature review of cybersecurity scales assessing information security awareness. Heliyon, 9(3), e14234. https://doi.org/10.1016/j.heliyon.2023.e14234 DOI: https://doi.org/10.1016/j.heliyon.2023.e14234

Rosado, D. G., Sánchez, L. E., Varela-Vaca, Á. J., Santos-Olmo, A., Gómez-López, M. T., Gasca, R. M., & Fernández-Medina, E. (2024). Enabling security risk assessment and management for business process models. Journal Of Information Security And Applications, 84, 103829. https://doi.org/10.1016/j.jisa.2024.103829 DOI: https://doi.org/10.1016/j.jisa.2024.103829

Susanto, T. D., & Maulana, M. D. (2024). Evaluating the Influence of Attitude versus Knowledge and Individual Factor versus Intervention Factor on Information Security Awareness in Local Government. Procedia Computer Science, 234, 1428-1434. https://doi.org/10.1016/j.procs.2024.03.142 DOI: https://doi.org/10.1016/j.procs.2024.03.142

Solomon, A., Michaelshvili, M., Bitton, R., Shapira, B., Rokach, L., Puzis, R., & Shabtai, A. (2022). Contextual security awareness: A context-based approach for assessing the security awareness of users. Knowledge-Based Systems, 246, 108709. https://doi.org/10.1016/j.knosys.2022.108709 DOI: https://doi.org/10.1016/j.knosys.2022.108709

Taherdoost, H. (2024). A Critical Review on Cybersecurity Awareness Frameworks and Training Models. Procedia Computer Science, 235, 1649-1663. https://doi.org/10.1016/j.procs.2024.04.156 DOI: https://doi.org/10.1016/j.procs.2024.04.156

Tejay, G. P., & Mohammed, Z. A. (2022). Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective. Information & Management, 60(3), 103751. https://doi.org/10.1016/j.im.2022.103751 DOI: https://doi.org/10.1016/j.im.2022.103751

Thangavelu, M., Krishnaswamy, V., & Sharma, M. (2021). Impact of comprehensive information security awareness and cognitive characteristics on security incident management – an empirical study. Computers & Security, 109, 102401. https://doi.org/10.1016/j.cose.2021.102401 DOI: https://doi.org/10.1016/j.cose.2021.102401

Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computers & Security, 109, 102387. https://doi.org/10.1016/j.cose.2021.102387 DOI: https://doi.org/10.1016/j.cose.2021.102387

Zanke, A., Weber, T., Dornheim, P., & Engel, M. (2024). Assessing information security culture: A mixed-methods approach to navigating challenges in international corporate IT departments. Computers & Security, 144, 103938. https://doi.org/10.1016/j.cose.2024.103938 DOI: https://doi.org/10.1016/j.cose.2024.103938