Abstract
There is an urgent need for transformative changes in cyber security awareness and training programs to produce individuals and the workforce that can deal with business risks emanating from the prevailing and emerging cyber-attacks. This chapter proposes a cyber security competency model that integrates learning theories (cognitive, affective, and psychomotor), learning continuum hierarchy (awareness and training), and cyber security domain knowledge. Employing literature search of scholarly and practitioner works, together with cyber security standards from governmental and non-governmental organizations, the chapter integrates cyber security domain knowledge, learning theories, and learning continuum hierarchy to design a model of cyber security competencies suitable for use in educating individuals and the general workforce. This theoretical-based approach to designing cyber security awareness and training programs will produce skillful individuals and workforce that can mitigate cyber-attacks in the global business environment.
TopIntroduction
Cyber security is a global concern owing to the increasing reliance on the Internet (Dahbur, Bashabsheh, & Bashabsheh, 2017). It is one of the most serious economic and national security challenges faced by governments (Moskal, 2015), developed and developing nations (Stoddart, 2016), and public and the private businesses (Gunzel, 2017). National and international businesses are at risk as the Internet facilitates both business transactions and cyber-attacks across geographical boundaries. Cyber threats come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and malicious intruders (Nunez, 2017). The attacks can range from stealing of employees' personal information (Office of Personnel Management, 2015) to attacks on critical infrastructure such as derailment of passenger trains, contamination of water supplies, and shutting down of power grid (Palmer, 2014).
Dealing with cybercrime becomes necessary because of the high cost of cybercrime on the societies, governments, and individuals (Wiederhold, 2014). For instance, the loss of revenue due to cyber attacks is estimated at US$240,000 per day among business organizations and can be more than US$100,000 per hour for retailers (Hui, Kim, & Wang, 2017; Neustar 2012). The Center for Strategic and International Studies estimates that an average annual cost of cybercrime to the global economy is $400 billion (McAfee, 2014); whereas Eubanks (2017) predicts that an average approximate cost of cybercrime will reach US$6 trillion by 2021.
Cyber threats pose danger to national security, financial security, and undermine individuals' privacy. Cyber security has become a top national priority (Proclamation 9508, 2016). It is an important institutional and community responsibility that requires an effective partnership between institutions and the entire community (Oblinger, 2015), including individuals and the general workforce. Thus, to effectively deal with cyber attacks, action is needed at national and global levels requiring individuals, society, and private businesses to better understand and to deal with cyber threats (Stoddart, 2016). The workforce and individuals need competencies and skills, including behavioural, management, and technical expertise to handle cyber attacks in the dynamic cyber threats environment (Singapore Increases Cyber security Training for Youths, 2014).
However, there seems to be a problem of inadequate knowledge and skill among individuals and the general workforce as to how to appropriately maintain cyber safety and respond to cyber attacks. Individuals and the current workforce apparently lack how to effectively apply cyber security measures. According to Russell (2017), public awareness of cyber threats is growing. However, evidence suggests that there are rapid increases in cyber related crimes in the recent years. For example, Global Economic Crime Survey records a high rise of cybercrime from 4th to 2nd position on the global economic crimes list (Global Economic Crime Survey, 2016).
Key Terms in this Chapter
Phishing: A deceptive normally online attempt by an attacker to obtain user’s confidential information for financial gain.
Spoofing: This occurs when hackers attempt to hide their true identities or misrepresent themselves by using fake e-mail addresses or masquerading as someone else.
Hacking: An intentional disruption, defacing, or even destroying an information resources normally carried out on the internet.
Identity Fraud: This is an unauthorized use of another person’s personally identifiable information, such as social security, driver’s license, credit card numbers, user names, and passwords for illegal financial benefit.
Pharming: This involves redirecting a web link to an address different from the intended one, with the fake site appearing as the intended destination.
Sniffing: This is a program that monitors information travelling over a network, enabling hackers to steal proprietary and sensitive information from anywhere on a network.
Denial of Service (DoS): This happens when hackers flood a server with useless traffic to inundate and overwhelm the network, often degrading the server’s performance and causing it to shut down with the intent of damaging the organization’s reputation and customer relationships.
Cyber Competency: The ability, skill, and knowledge by individuals to protect themselves and their organization's cyberspace.