Concienciación y cultura de seguridad de la información: evaluación de programas y métodos de impacto

Jack David García Alayo; Israel Joel Múñoz Rodríguez; Alberto Carlos Mendoza de los Santos

doi:10.37431/conectividad.v7i1.382

Authors

Jack David García Alayo Universidad Nacional de Trujillo https://orcid.org/0009-0005-3038-242X
Israel Joel Múñoz Rodríguez Universidad Nacional de Trujillo https://orcid.org/0009-0002-9187-1030
Alberto Carlos Mendoza de los Santos Universidad Nacional de Trujillo https://orcid.org/0000-0002-0469-915X

DOI:

https://doi.org/10.37431/conectividad.v7i1.382

Keywords:

Information security, Impact metrics, Program evaluation, Training, Organization

Abstract

Information security awareness programs are training initiatives that combine theoretical knowledge and simulated practices to reinforce information security culture within organizations. This paper conducted a systematic review to examine the methodologies and metrics used to evaluate their effectiveness and impact on user behavior and incident reduction. Thirty academic articles published between 2020 and 2025, extracted from databases such as ScienceDirect, Scielo, and Google Scholar, were analyzed. The study allowed us to understand that the effectiveness of security awareness and culture programs in organizations depends on a combination of strategies to ensure sustainable behavioral changes, demonstrate risk reduction, and demonstrate a return on investment for security initiatives. It is worth mentioning that future studies should subject existing scales to cross-validity studies in Latin American contexts and critical sectors, using gamification, simulations, and AI-powered microlearning. Finally, it is recommended that organizations interested in implementing the aforementioned metrics initially adopt four continuous assessment indicators (impact, sustainability, accessibility, and monitoring).

References

Arellano, F. J. G., Barraza, Í. D., Bustos, A. F., Soto, C. P., Fonseca, V. F., & Martínez-Peláez, R. (2024). Examining cybersecurity culture in Leon city organizations: Insights from 2022. Ingeniare. Revista Chilena de Ingeniería, 32(1). https://doi.org/10.4067/s0718-33052024000100211 DOI: https://doi.org/10.4067/S0718-33052024000100211

Baltuttis, D., Teubner, T., & Adam, M. T. (2024). A typology of cybersecurity behavior among knowledge workers. Computers & Security, 140, 103741. https://doi.org/10.1016/j.cose.2024.103741 DOI: https://doi.org/10.1016/j.cose.2024.103741

Beltrán, A. J. L. (2022). Programa de concientización en seguridad de información para pequeñas empresas en la ciudad de Puyo. [Tesis de maestría, Pontificia Universidad Católica del Ecuador]. Repositorio PUCE. https://repositorio.puce.edu.ec/items/d257e331-1e2c-4155-8514-f5e7403dac69

Beltrán Muñoz, A. (2023). Análisis de la educación en ciberseguridad: Situación actual, estrategias y retos [Tesis doctoral, Universidad de Granada]. Digibug. https://digibug.ugr.es/handle/10481/92804

Bitrián, P., Buil, I., Catalán, S., & Merli, D. (2024). Gamification in workforce training: Improving employees’ self-efficacy and information security and data protection behaviours. Journal Of Business Research, 179, 114685. https://doi.org/10.1016/j.jbusres.2024.114685 DOI: https://doi.org/10.1016/j.jbusres.2024.114685

Chaudhary, S., Gkioulos, V., & Katsikas, S. (2022). Developing metrics to assess the effectiveness of cybersecurity awareness program. Journal of Cybersecurity, 8(1). https://doi.org/10.1093/cybsec/tyac006 DOI: https://doi.org/10.1093/cybsec/tyac006

Diesch, R., Pfaff, M., & Krcmar, H. (2020). A comprehensive model of information security factors for decision-makers. Computers & Security, 92, 101747. https://doi.org/10.1016/j.cose.2020.101747 DOI: https://doi.org/10.1016/j.cose.2020.101747

Fertig, T., Schütz, A. E., Weber, K. (2020). Current issues of Metrics for Information Security Awareness. In Proceedings of the Twenty-Eighth European Conference on Information Systems (ECIS 2020) (pp. 1–3). Association for Information Systems. https://www.researchgate.net/publication/342803603

Furman, S., Haney. J., Jacobs, J. (2023, 15 septiembre). Measuring the Effectiveness of U.S. Government Security Awareness Programs: A Mixed-Methods Study (Short Paper). NIST. https://www.nist.gov/publications/measuring-effectiveness-us-government-security-awareness-programs-mixed-methods-study

Garba, A. A., Siraj, M. M., & Othman, S. (2024). Holistic Systematic Review on Methodologies of Assessing Effectiveness Cybersecurity Awareness Program. Research Square. https://doi.org/10.21203/rs.3.rs-4329496/v1 DOI: https://doi.org/10.21203/rs.3.rs-4329496/v1

Gerst, M., Kappe, M., Härting, R., & Karg, C. (2024). Determinants of the successful Establishment of a Cyber Security Culture in SMEs. Procedia Computer Science, 246, 510–518. https://doi.org/10.1016/j.procs.2024.09.431 DOI: https://doi.org/10.1016/j.procs.2024.09.431

Grassegger, T., & Nedbal, D. (2021). The Role of Employees’ Information Security Awareness on the Intention to Resist Social Engineering. Procedia Computer Science, 181, 59-66. https://doi.org/10.1016/j.procs.2021.01.103 DOI: https://doi.org/10.1016/j.procs.2021.01.103

Hillman, D., Harel, Y., & Toch, E. (2023). Evaluating organizational phishing awareness training on an enterprise scale. Computers & Security, 132, 103364. https://doi.org/10.1016/j.cose.2023.103364 DOI: https://doi.org/10.1016/j.cose.2023.103364

Jayatilaka, A., Beu, N., Baetu, I., Zahedi, M., Babar, M. A., Hartley, L., & Lewinsmith, W. (2021, 12 diciembre). Evaluation of Security Training and Awareness Programs: Review of Current Practices and Guideline. [Preprint]. arXiv. https://arxiv.org/abs/2112.06356

Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106, 102267. https://doi.org/10.1016/j.cose.2021.102267 DOI: https://doi.org/10.1016/j.cose.2021.102267

Mirtsch, M., Blind, K., Koch, C., & Dudek, G. (2021). Information security management in ICT and non-ICT sector companies: A preventive innovation perspective. Computers & Security, 109, 102383. https://doi.org/10.1016/j.cose.2021.102383 DOI: https://doi.org/10.1016/j.cose.2021.102383

Nwankpa, J. K., & Datta, P. M. (2023). Remote vigilance: The roles of cyber awareness and cybersecurity policies among remote workers. Computers & Security, 130, 103266. https://doi.org/10.1016/j.cose.2023.103266 DOI: https://doi.org/10.1016/j.cose.2023.103266

Nzeakor, O. F., Nwokeoma, B. N., Hassan, I., Ajah, B. O., & Okpa, J. T. (2022). Emerging Trends in Cybercrime Awareness in Nigeria. International Journal Of Cybersecurity Intelligence And Cybercrime, 5(3), 41-67. https://doi.org/10.52306/2578-3289.1098 DOI: https://doi.org/10.52306/2578-3289.1098

Onduto, B. (2021). Gamification of cyber security awareness – A systematic literature review. [Master’s Thesis, University of Turku]. UTUPub. https://www.utupub.fi/handle/10024/152929

Orehek, Š., & Petrič, G. (2020). A systematic review of scales for measuring information security culture. Information And Computer Security, 29(1), 133-158. https://doi.org/10.1108/ics-12-2019-0140 DOI: https://doi.org/10.1108/ICS-12-2019-0140

Prümmer, J., Van Steen, T., & Van Den Berg, B. (2023). A systematic review of current cybersecurity training methods. Computers & Security, 136, 103585. https://doi.org/10.1016/j.cose.2023.103585 DOI: https://doi.org/10.1016/j.cose.2023.103585

Rohan, R., Pal, D., Hautamäki, J., Funilkul, S., Chutimaskul, W., & Thapliyal, H. (2023). A systematic literature review of cybersecurity scales assessing information security awareness. Heliyon, 9(3), e14234. https://doi.org/10.1016/j.heliyon.2023.e14234 DOI: https://doi.org/10.1016/j.heliyon.2023.e14234

Rosado, D. G., Sánchez, L. E., Varela-Vaca, Á. J., Santos-Olmo, A., Gómez-López, M. T., Gasca, R. M., & Fernández-Medina, E. (2024). Enabling security risk assessment and management for business process models. Journal Of Information Security And Applications, 84, 103829. https://doi.org/10.1016/j.jisa.2024.103829 DOI: https://doi.org/10.1016/j.jisa.2024.103829

Susanto, T. D., & Maulana, M. D. (2024). Evaluating the Influence of Attitude versus Knowledge and Individual Factor versus Intervention Factor on Information Security Awareness in Local Government. Procedia Computer Science, 234, 1428-1434. https://doi.org/10.1016/j.procs.2024.03.142 DOI: https://doi.org/10.1016/j.procs.2024.03.142

Solomon, A., Michaelshvili, M., Bitton, R., Shapira, B., Rokach, L., Puzis, R., & Shabtai, A. (2022). Contextual security awareness: A context-based approach for assessing the security awareness of users. Knowledge-Based Systems, 246, 108709. https://doi.org/10.1016/j.knosys.2022.108709 DOI: https://doi.org/10.1016/j.knosys.2022.108709

Taherdoost, H. (2024). A Critical Review on Cybersecurity Awareness Frameworks and Training Models. Procedia Computer Science, 235, 1649-1663. https://doi.org/10.1016/j.procs.2024.04.156 DOI: https://doi.org/10.1016/j.procs.2024.04.156

Tejay, G. P., & Mohammed, Z. A. (2022). Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective. Information & Management, 60(3), 103751. https://doi.org/10.1016/j.im.2022.103751 DOI: https://doi.org/10.1016/j.im.2022.103751

Thangavelu, M., Krishnaswamy, V., & Sharma, M. (2021). Impact of comprehensive information security awareness and cognitive characteristics on security incident management – an empirical study. Computers & Security, 109, 102401. https://doi.org/10.1016/j.cose.2021.102401 DOI: https://doi.org/10.1016/j.cose.2021.102401

Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: Current practices and future needs. Computers & Security, 109, 102387. https://doi.org/10.1016/j.cose.2021.102387 DOI: https://doi.org/10.1016/j.cose.2021.102387

Zanke, A., Weber, T., Dornheim, P., & Engel, M. (2024). Assessing information security culture: A mixed-methods approach to navigating challenges in international corporate IT departments. Computers & Security, 144, 103938. https://doi.org/10.1016/j.cose.2024.103938 DOI: https://doi.org/10.1016/j.cose.2024.103938