Next Article in Journal
Dynamic Graph Representation Learning for Passenger Behavior Prediction
Previous Article in Journal
Development of a Novel Open Control System Implementation Method under Industrial IoT
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 16
Issue 8
10.3390/fi16080294
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Establishing a Model for the User Acceptance of Cybersecurity Training

by
Wesam Fallatah
1,*,
Joakim Kävrestad
2,* and
Steven Furnell
1,*
1
School of Computer Science, University of Nottingham, Nottingham NG8 1BB, UK
2
School of Engineering, Jönköping University, 551 11 Jönköping, Sweden
*
Authors to whom correspondence should be addressed.
Future Internet 2024, 16(8), 294; https://doi.org/10.3390/fi16080294
Submission received: 20 July 2024 / Revised: 10 August 2024 / Accepted: 13 August 2024 / Published: 15 August 2024
(This article belongs to the Section Cybersecurity)
Browse Figures
Versions Notes

Abstract

:
Cybersecurity is established as fundamental for organisations and individuals engaging with digital technology. A central topic in cybersecurity is user behaviour, which has been shown to be the root cause or enabler in a majority of all cyber incidents with a resultant need to empower users to adopt secure behaviour. Researchers and practitioners agree that a crucial step in empowering users to adopt secure behaviour is training. Subsequently, there are many different methods for cybersecurity training discussed in the scientific literature and that are adopted in practise. However, research suggests that those training efforts are not effective enough, and one commonly mentioned reason is user adoption problems. In essence, users are not engaging with the provided training to the extent needed to benefit from the training as expected. While the perception and adoption of individual training methods are discussed in the scientific literature, cohesive studies on the factors that impact user adoption are few and far between. To that end, this paper focuses on the user acceptance of cybersecurity training using the technology acceptance model as a theory base. Based on 22 included publications, the research provides an overview of the cybersecurity training acceptance factors that have been discussed in the existing scientific literature. The main contributions are a cohesive compilation of existing knowledge about factors that impact the user acceptance of cybersecurity training and the introduction of the CTAM, a cybersecurity training acceptance model which pinpoints four factors—regulatory control, worry, apathy, and trust—that influence users’ intention to adopt cybersecurity training. The results can be used to guide future research as well as to guide practitioners implementing cybersecurity training.

1. Introduction

In today’s digital age, the importance of cybersecurity has increased exponentially, and organisations are increasingly dependent on robust security to defend their digital assets. An essential aspect of this defence strategy is cultivating a strong security culture throughout the organisation so that employees are aware of the cybersecurity threat and how they can mitigate it. In this endeavour, cybersecurity training plays a vital role by educating users on safe practises that they can use to combat common threats such as phishing, ransomware, and social engineering. Despite the apparent benefits of cybersecurity training, organisations face significant challenges in encouraging the acceptance and adoption of these programmes among their employees. Many employees have a tendency to be reluctant to participate in training sessions, which undermines the effectiveness of these training programmes.
Understanding users’ acceptance would aid future development. Many models have been developed to explain the user acceptance of technologies, introducing factors that affect user acceptance. These include widely recognised models such as the Technology Acceptance Model (TAM), Model of PC Utilisation (MPCU), Theory of Planned Behaviour (TPB), and Social Cognitive Theory (SCT). Although most of these models offer valuable insights into technology adoption, they often introduce factors that may not be directly applicable to the specific context of cybersecurity training acceptance. By focusing on factors such as Perceived Usefulness (PU) and Perceived Ease Of Use (PEOU), the TAM may address the key elements that influence an individual’s decision to engage in and accept cybersecurity training. This direct relevance makes the TAM an ideal choice for this study, ensuring a focused and effective analysis of the factors that drive user engagement in the cybersecurity training context.
Most importantly, there is a lack of comprehensive literature on training acceptance that takes into account factors that contribute to the user acceptance of cybersecurity training. To address this gap, this study seeks to answer the following question: How does current research relate to the factors mediating the user acceptance of technology? The study utilises the Technology Acceptance Model (TAM), a well-established theory initially introduced by [1] and subsequently reviewed and expanded upon by numerous studies, such as [2,3,4], to demonstrate how to encourage the acceptance and adoption of information systems.
The research proceeds to explore the application of the TAM factors in the context of cybersecurity training acceptance. As a result, the study introduces a cybersecurity training acceptance model (CTAM) and underscores existing research gaps related to the user acceptance of cybersecurity training. Equally important, this study highlights factors that have not been discussed in the context of cybersecurity training acceptance by previous research. Identifying the key factors that drive the user acceptance of cybersecurity training contributes to informing the development of more effective cybersecurity training programmes that engage users and improve organisational security measures. This will ultimately support active participation and improve the broader cybersecurity culture.

2. Components and Evolution of the TAM and Its Extensions

The core components of the TAM provide a foundational framework that helps understand how users accept a technology. The model explains that the user adoption of technology is influenced by Behavioural Intention (BI), which is influenced by PU and PEOU. PEOU also has in influence on PU. PU, PEOU, and BI, as well as the relationships between those, are mediated by external factors, which are the focus of this research. The external factors outlined by [3,4] and what the TAM constructs or the relationships it mediates are reflected in Figure 1 below. Factors that mediate the same constructs or relationships are grouped together to increase readability.
The TAM has undergone a number of changes over the past few decades. For instance, ref. [3] proposed an update known as TAM2, in which they provided more detailed explanations of why technology users can find a given system useful. This update entailed the notion that users’ perceptions of the usefulness of a given system are influenced by their mental assessment of how well the system corresponds to essential goals within the workplace [3]. The study results showed that TAM2 performed well both in voluntary and mandatory settings. Later, ref. [2] reviewed the TAM’s evolution over time by assessing its impact and relevance in various contexts. The review is segmented into past, present, and future. The past section traces the origins and early developments of the TAM by highlighting how it emerged as a basic model for understanding the user acceptance of technology using the initial constructs, namely PU and PEOU. The present section of the study discusses the numerous extensions and adaptations that have been proposed to enhance the TAM’s explanation and applicability. These extensions often integrate additional factors, including facilitating conditions and social influence, reflecting the dynamic of technology acceptance. The authors also evaluated the TAM’s performance across different user demographics and technological contexts. In the future section, ref. [2] suggested potential directions for future research, including exploring emerging technologies and considering novel theoretical constructs.
In a subsequent development, ref. [3] presented an advanced version, TAM3, and proposed a research agenda focused on interventions to enhance technology acceptance. This was designed to address some of the limitations by incorporating an extensive set of factors influencing technology acceptance. This model integrates elements from TAM2 and the Unified Theory of Acceptance and Use of Technology (UTAUT), along with new constructs. Key additions include the influence of individual differences (e.g., perceptions of external control and computer self-efficacy), system characteristics (e.g., perceived enjoyment and objective usability), and contextual factors (e.g., experience and voluntariness). The external factors presented in the TAM are described in Table 1.
The TAM and its extensions have been extensively employed to understand the user acceptance of technologies in a variety of contexts, demonstrating its adaptability and robustness in explaining technology adoption. Based on studies [2,3,4], the TAM has been found to be effective at predicting acceptance and usage behaviour. However, the TAM and its extended models have not been thoroughly explored in the context of cybersecurity training acceptance in spite of their widespread application. It is essential to recognise that cybersecurity involves unique challenges and user interaction paradigms fundamentally different from those associated with traditional technology use. As an example, user compliance with security measures may be driven by a variety of factors, including fear of breaches or potential legal implications, which are not considered primarily in the TAM. It is imperative that research be conducted to adapt and validate the TAM within the cybersecurity context to ensure that it adequately captures the distinct factors influencing the adoption of security technologies. Specifically, focusing on factors that influence users’ acceptance of cybersecurity training can significantly foster greater user adherence to cybersecurity practises.

3. Literature Assessment Methodology

This research is conducted as a structured literature review following the methodology proposed by [5]. As suggested by [6,7], an inclusive approach was adopted in selecting databases and developing the search queries. The literature review aimed to examine factors influencing users’ acceptance of cybersecurity training and to identify relevant publications. To achieve this, the following query was developed: (((cyber OR information OR computer OR it) AND security)) AND (training OR education OR awareness) AND (adoption OR acceptance OR usage) AND [FACTOR]. The intention was to capture all permutations of cybersecurity training combined with the adoption of words with similar meanings. Finally, terms for each factor in the CTAM were appended. The search string was applied to the following databases and indexes: Scopus, Web of Science (WoS), IEEE Xplore, and ACM Digital Library, with minor modifications to the logic to meet the requirements of the respective databases. These databases and indexes provide comprehensive coverage within the fields of technology and computer science. It is also worth noting that Scopus and WoS are general indexing databases that provide a broad overview of peer-reviewed literature across various disciplines, including their extensive inclusion criteria and wide-ranging scope. This ensures a diverse and multidisciplinary perspective on the research findings. On the other hand, IEEE Xplore and ACM Digital Library are publisher-specific repositories, which allow for more in-depth access to the latest advancements. While these databases are expected to yield different results due to their indexing criteria, there is a possibility of overlap. For instance, a paper published by ACM could potentially be retrieved from the ACM Digital Library, WoS, and Scopus, illustrating the varying coverage of these scholarly resources. Additional complementary searches with the same terms applied to the databases and indexes were also conducted on Google Scholar. The search approach resulted in 125 searches conducted on the listed databases and indexes. The papers resulting from the searches were screened for inclusion in a five-step process as follows:
  • The hits from each search were screened based on titles and abstracts. The result of this step was a list of candidate papers. This step was completed by two researchers individually.
  • The lists of the two researchers were compared, and all papers included by one or both researchers were included for the next step.
  • The full body of the candidate papers was screened again by two researchers individually. The result was a refined list of candidate papers.
  • The lists of the two researchers were compared. Disagreements were solved by discussing each paper, where the researcher made different decisions until a consensus was reached. The output of this step was reviewed by a third researcher.
  • Backwards snowballing was applied by considering all papers referenced by the set of papers from (4). Steps 1–4 were repeated for those papers, resulting in a final set of included publications.
The screening process is documented in the Preferred Reporting Items for Systematic reviews and Meta-Analyses (PRISMA) flow diagram displayed in Figure 2, which is based on [8,9].

4. Results

This section presents the results of the literature review aimed at identifying the factors influencing users’ acceptance of cybersecurity training. First, an overview of the TAM and its various extensions is provided to establish a basis for identifying all possible factors influencing technology acceptance. Subsequently, the study conducted a systematic literature review in order to examine how these factors have been discussed in cybersecurity training studies, both directly and indirectly. As part of the review, a number of studies were analysed to determine whether TAM-related factors had been empirically examined in the context of cybersecurity training. The direct factors are those explicitly identified in the studies, while the indirect factors are those discussed in broader terms, but which are relevant to cybersecurity training. In addition, the review identified gaps in the literature where certain TAM factors have not been examined for cybersecurity training. New factors unique to this context were also explored, providing a more comprehensive understanding of what influences cybersecurity training acceptance. These findings provide insight into the development of more effective cybersecurity training programmes that increase user compliance and enhance the overall organisational security culture.
The table below lists the publications that were included and the factors they discussed. Some included publications provide empirical data that show that one or more factors impact the acceptance of cybersecurity training. Other publications present findings that are indirectly related to the acceptance of cybersecurity training. That includes, for instance, the perception of cybersecurity training or willingness to adopt cybersecurity measures at large rather than training specifically. This is reflected in Table 2.
Several studies have examined the factors that directly influence users’ acceptance of cybersecurity training. Ref. [11] suggest that combining different methods of text-based, game-based, and video-based delivery for awareness training is superior to an individual delivery method. This finding indicates that integrating diverse, engaging learning formats is effective. Also, participants in the same study [11] preferred simpler text and video formats due to their lower complexity even when game-based methods were used. Ref. [13] found that users frequently seek advice from trusted colleagues or those who frequently assist them with computer issues, which illustrates the importance of social presence and trust. The study by [16] identified attitude, apathy, and social trust as significant barriers to user participation in cybersecurity training, and found that using lengthy or complex language in materials may result in user fatigue, preventing some individuals from reading them. Refs. [18,19] examined perceived enjoyment in training, demonstrating that engaging training processes significantly enhance engagement. In addition, ref. [19] found that perceived content quality, social norms, and entertainment significantly influence user satisfaction. In turn, user satisfaction leads to increased stickiness and security knowledge. Taking into account the perception of external control, ref. [28] suggest that users are more likely to engage in training if they perceive strong organisational support, while ref. [23] identified facilitating conditions, relative advantage, and worry as factors influencing the user acceptance of cybersecurity training.
Other publications also present findings related to the acceptance of cybersecurity training, although indirectly related, such as the willingness to adopt cybersecurity measures in general rather than training specifically. Indirectly researched factors also played a significant role in understanding user acceptance. In their study, ref. [10] emphasised the importance of training relevance, user experience, management support, and facilitating conditions. It should be noted, however, that these factors were discussed throughout the study more than empirically supported. Ref. [12] underlined the importance of management support, relevance, and regulatory control in the adoption of security culture, highlighting the importance of these factors to foster a positive environment for cybersecurity initiatives, including training. Ref. [14] investigated perceived quality, usability, social norms and pressure, facilitating conditions, and accessibility within the context of broader cybersecurity measures among IT professionals. Self-efficacy has been highlighted by [15,20], both of whom note that it has a significant impact on the enhancement of security practises. The study by [20] found that individuals with a high level of self-efficacy practised better security operations, including using security software, applying updates, and generally practising good security behaviours. In their study, ref. [22] examined how perceived quality, social norms, and perceived external control influence user acceptance. The study suggests that employees’ perceptions of Security Education, Training, and Awareness (SETA) programmes are shaped by these factors, which affect employees’ behaviour and can explain their engagement levels with cybersecurity training. Furthermore, refs. [21,24] emphasised the importance of relevance and usability, with [24] also addressing innovativeness and result demonstrability within a qualitative context and [21] discussing how to present security information, suggesting that usability and relevance are important for training to be effective. Several studies highlight that perceived enjoyment increases engagement and motivation, which influences users to embrace and participate in training programmes [25,26,27,30,31]. The model in Figure 3 below illustrates the factors identified in previous studies and highlights those that have been overlooked. The factors written in capital letters are factors that were not identified in the background presented in Section 2, but new factors identified during the structured literature review.

5. Discussion

This study uses the TAM as a theoretical framework to analyse users’ adoption of technology. Specifically, the study investigates how TAM factors, which were first presented by [1] and later reviewed and extended by studies [2,3,4], can be applied to the acceptance of cybersecurity training. Consequently, this study proposes the CTAM and identifies research gaps regarding the user acceptance of cybersecurity training. Th TAM extended versions include a number of factors that are not addressed in the current literature regarding the user acceptance of cybersecurity training, highlighting a need for further research in this area. These factors are visibility, voluntariness, anxiety, trialability, playfulness, and end user support. Visibility can assist in designing transparent training programmes, thus making the benefits of the training clear to users. Voluntariness suggests that optional content in training could enhance user receptiveness. When cybersecurity training is voluntary, users may feel more motivated and autonomous to engage with it. Furthermore, addressing anxiety by creating supportive atmospheres to users could improve training adoption rates. Trialability could facilitate the development of training sessions (e.g., exploratory or pilot sessions), increasing adoption and effectiveness. Users can remain committed and engaged if they are able to test out training modules without feeling pressured. An engaging and enjoyable training programme could also be achieved through the use of playfulness, leading to increased participation and retention. Providing robust user support can encourage users to feel more confident and capable, thereby facilitating adoption. These factors can significantly contribute to user acceptance and engagement in cybersecurity training, resulting in more effective and widespread adoption.
As a key contribution, the study brought to light the influence of four factors (i.e., regulatory control, worry, apathy, and trust) on users’ BI to adopt cybersecurity training. These factors can play a vital role in determining the effectiveness of cybersecurity training programmes. Firstly, regulatory control can be defined as a set of formal policies, rules, and regulations that govern cybersecurity practises within an organisation. A structured and supportive environment for cybersecurity initiatives, including training, requires regulatory control. Providing users with a clear understanding of legal and organisational expectations regarding cybersecurity practises promotes compliance and accountability. Cybersecurity training programmes that consider regulatory control may result in higher compliance rates and a more conscious culture, whereas those that neglect regulatory control may result in a lack of enforcement and adherence to cybersecurity protocols, reducing the effectiveness of the training. Furthermore, the second factor “worry” refers to the concern users feel about potential cybersecurity threats and their consequences. In some cases, worry may be a significant motivator for users to attend cybersecurity training. For example, when users are aware of the potential risks and dangers of cybersecurity breaches, they are more likely to take the training seriously and practise what they have learned. If this aspect is taken into consideration, then engagement and motivation could be enhanced, leading to a better retention of information and application of cybersecurity measures. However, ref. [23] found that despite the possibility that worry may motivate users to engage in cybersecurity training, there was no meaningful linkage between worry and willingness to pay for or take up cybersecurity training. This finding suggests that worry alone does not drive the adoption of cybersecurity training, indicating that the combination of other factors is more likely to influence users’ willingness to engage in cybersecurity training. Thus, understanding worry and leveraging it in conjunction with other mediating factors may enhance the effectiveness and uptake of training.
Moreover, the third factor, “apathy”, refers to users’ lack of interest, enthusiasm, or concern for cybersecurity issues. The lack of interest in cybersecurity training represents a significant barrier to its effectiveness. No amount of training will be effective in changing a user’s behaviour or improving their security practises if they do not care about cybersecurity. A cybersecurity programme must find ways to motivate and engage different users, perhaps by emphasising the stakes involved on a personal and organisational level. It is essential to keep this factor in mind when training users, as unengaged users are unlikely to adopt the necessary cybersecurity behaviours. Finally, trust refers to users’ confidence in the information, advice, and training provided by their organisation or trusted colleagues. Trust is vital to ensure that cybersecurity training is accepted and effective. Users are more likely to follow and adopt guidelines and practises if they trust the source of information and the purpose of the training. Cybersecurity practises can be significantly enhanced by establishing trust through transparent communication and credible training sources. The lack of trust may lead to scepticism and resistance, reducing the overall impact of training.
It is imperative that organisations adopt a multifaceted approach to cybersecurity training in order to increase user acceptance. A clear understanding of the benefits and importance of the training can significantly increase engagement [4]. It has also been shown that incorporating elements of choice within mandatory programmes increases user receptivity, since a feeling of autonomy enhances positive attitudes [2]. In order to facilitate greater adoption rates of technology, it is essential to create a supportive and user-friendly environment [3] in which anxiety can be reduced through accessible resources. It is also essential to address factors unique to cybersecurity training, such as fostering an environment that promotes compliance and accountability. Despite the fact that addressing user concerns about cyber threats may not directly influence training adoption, it can still have a profound impact on engagement strategies. A proactive approach to combating user apathy involves emphasising the personal and organisational stakes involved in cybersecurity. Establishing trust through transparent communication and credible training sources encourages adherence to guidelines and best practises.

6. Conclusions and Future Work

Organisations are increasingly dependent on robust security to protect their digital assets. To effectively protect these assets, cybersecurity training is essential in educating employees on safe practises to combat common threats. Although cybersecurity training has apparent benefits, organisations struggle to encourage employees to engage with it [32]. Furthermore, there is a lack of comprehensive literature on the user acceptance of cybersecurity training. This study addresses this gap by exploring the application of the TAM’s factors in the context of cybersecurity training acceptance. Accordingly, the study identifies research gaps related to cybersecurity training acceptance and introduces the CTAM. The study concluded that several of the TAM’s factors have not previously been addressed in cybersecurity training acceptance research, including visibility, voluntariness, anxiety, trialability, playfulness, and end user support. Most importantly, the CTAM introduces four factors—regulatory control, worry, apathy, and trust—that influence users’ BI to adopt cybersecurity training. By understanding these key drivers of user acceptance, cybersecurity training programmes can be designed to engage users effectively and enhance security measures. This will ultimately foster active participation and strengthen the broader cybersecurity culture.
This study examined the research landscape by applying a structured literature review methodology. The search queries, databases, and screening processes were developed with an inclusive mindset. However, it should be noted that some relevant research may have been missed. Further evaluation of the search and inclusion protocols will enable future studies to build upon the findings of this review. Future research should further explore the identified and emerging factors to develop a comprehensive understanding of user engagement in cybersecurity training. This will aid in designing and implementing more effective and widely accepted cybersecurity training programmes, ultimately enhancing user engagement and compliance and leading to a more robust security posture.

Author Contributions

Conceptualization, J.K.; Methodology, W.F., J.K. and S.F.; Formal analysis, W.F. and J.K.; Data curation, W.F.; Writing—original draft, W.F.; Writing—review & editing, J.K. and S.F.; Supervision, J.K. and S.F. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by Lars Hierta Memorial Foundation grant number FO2022-0037.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding authors.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Davis, F.D. A Technology Acceptance Model for Empirically Testing New End-User Information Systems: Theory and Results; Massachusetts Institute of Technology: Cambridge, MA, USA, 1985. [Google Scholar]
  2. Lee, Y.; Kozar, K.A.; Larsen, K.R. The technology acceptance model: Past, present, and future. Commun. Assoc. Inf. Syst. 2003, 12, 50. [Google Scholar] [CrossRef]
  3. Venkatesh, V.; Davis, F.D. A theoretical extension of the technology acceptance model: Four longitudinal field studies. Manag. Sci. 2000, 46, 186–204. [Google Scholar] [CrossRef]
  4. Venkatesh, V.; Bala, H. Technology acceptance model 3 and a research agenda on interventions. Decis. Sci. 2008, 39, 273–315. [Google Scholar] [CrossRef]
  5. Paré, G.; Kitsiou, S. Methods for literature reviews. In Handbook of Ehealth Evaluation: An Evidence-Based Approach [Internet]; University of Victoria: Victoria, BC, Canada, 2017. [Google Scholar]
  6. Meline, T. Selecting studies for systemic review: Inclusion and exclusion criteria. Contemp. Issues Commun. Sci. Disord. 2006, 33, 21–27. [Google Scholar] [CrossRef]
  7. Jesson, J.; Lacey, F.M.; Matheson, L. Doing Your Literature Review: Traditional and Systematic Techniques; Sage: Thousand Oaks, CA, USA, 2011. [Google Scholar]
  8. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The prisma 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, 71. [Google Scholar] [CrossRef] [PubMed]
  9. Sarkis-Onofre, R.; Catalá-López, F.; Aromataris, E.; Lockwood, C. How to properly use the prisma statement. Syst. Rev. 2021, 10, 117. [Google Scholar] [CrossRef] [PubMed]
  10. Shukla, S.S.; Tiwari, M.; Lokhande, A.C.; Tiwari, T.; Singh, R.; Beri, A. A comparative study of cyber security awareness, competence and behavior. In Proceedings of the 2022 5th International Conference on Contemporary Computing and Informatics (IC3I), Uttar Pradesh, India, 14–16 December 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 1704–1709. [Google Scholar]
  11. Abawajy, J. User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 2014, 33, 237–248. [Google Scholar] [CrossRef]
  12. Mokwetli, M.; Zuva, T. Adoption of the ict security culture in smme’s in the gauteng province, south africa. In Proceedings of the 2018 International Conference on Advances in Big Data, Computing and Data Communication Systems (icABCD), Durban, South Africa, 6–7 August 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 1–7. [Google Scholar]
  13. Dang-Pham, D.; Pittayachawan, S.; Bruno, V. Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace. Comput. Hum. Behav. 2017, 67, 196–206. [Google Scholar] [CrossRef]
  14. Alhalafi, N.; Veeraraghavan, P. Exploring the challenges and issues in adopting cybersecurity in saudi smart cities: Conceptualization of the cybersecurity-based utaut model. Smart Cities 2023, 6, 1523–1544. [Google Scholar] [CrossRef]
  15. Lui, S.M.; Hui, W. The effects of knowledge on security technology adoption: Results from a quasi-experiment. In Proceedings of the 5th International Conference on New Trends in Information Science and Service Science, Macao, China, 24–26 October 2011; IEEE: Piscataway, NJ, USA, 2011; Volume 2, pp. 328–333. [Google Scholar]
  16. Bryan Foltz, C.; Schwager, P.H.; Anderson, J.E. Why users (fail to) read computer usage policies. Ind. Manag. Data Syst. 2008, 108, 701–712. [Google Scholar] [CrossRef]
  17. Gadzama, W.A.; Katuka, J.I.; Gambo, Y.; Abali, A.M.; Usman, M.J. Evaluation of employees awareness and usage of information security policy in organizations of developing countrties: A study of federal inland revenue service, nigeria. J. Theor. Appl. Inf. Technol. 2014, 67, 443–460. [Google Scholar]
  18. Hart, S.; Margheri, A.; Paci, F.; Sassone, V. Riskio: A serious game for cyber security awareness and education. Comput. Secur. 2020, 95, 101827. [Google Scholar] [CrossRef]
  19. Ma, S.; Zhang, S.; Li, G.; Wu, Y. Exploring information security education on social media use: Perspective of uses and gratifications theory. Aslib J. Inf. Manag. 2019, 71, 618–636. [Google Scholar] [CrossRef]
  20. Rhee, H.-S.; Kim, C.; Ryu, Y.U. Self-efficacy in information security: Its influence on end users’ information security practice behavior. Comput. Secur. 2009, 28, 816–826. [Google Scholar] [CrossRef]
  21. Potgieter, M.; Marais, C.; Gerber, M. Fostering content relevant information security awareness through browser extensions. In Proceedings of the Information Assurance and Security Education and Training: 8th IFIP WG 11.8 World Conference on Information Security Education, WISE 8, Auckland, New Zealand, 8–10 July 2013, Proceedings, WISE 7, Lucerne Switzerland, 9–10 June 2011, and WISE 6, Bento Gonçalves, RS, Brazil, 27–31 July 2009; Revised Selected Papers 8. Springer: Berlin/Heidelberg, Germany, 2013; pp. 58–67. [Google Scholar]
  22. Reeves, A.; Calic, D.; Delfabbro, P. Get a red-hot poker and open up my eyes, it’s so boring” 1: Employee perceptions of cybersecurity training. Comput. Secur. 2021, 106, 102281. [Google Scholar] [CrossRef]
  23. Kävrestad, J.; Gellerstedt, M.; Nohlberg, M.; Rambusch, J. Survey of users’ willingness to adopt and pay for cybersecurity training. In Proceedings of the International Symposium on Human Aspects of Information Security and Assurance, Lesbos, Greece, 6–8 July 2022; Springer: Berlin/Heidelberg, Germany, 2022; pp. 14–23. [Google Scholar]
  24. Shillair, R. Talking about online safety: A qualitative study exploring the cybersecurity learning process of online labor market workers. In Proceedings of the 34th ACM International Conference on the Design of Communication, Silver Spring, MD, USA, 23–24 September 2016; pp. 1–9. [Google Scholar]
  25. Shen, L.W.; Mammi, H.K.; Din, M.M. Cyber security awareness game (csag) for secondary school students. In Proceedings of the 2021 International Conference on Data Science and Its Applications (ICoDSA), Porto, Portugal, 6–9 October 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 48–53. [Google Scholar]
  26. Jin, G.; Tu, M.; Kim, T.-H.; Heffron, J.; White, J. Game based cybersecurity training for high school students. In Proceedings of the 49th ACM Technical Symposium on Computer Science Education, Baltimore, MD, USA, 21–24 February 2018; pp. 68–73. [Google Scholar]
  27. CJ, G.; Pandit, S.; Vaddepalli, S.; Tupsamudre, H.; Banahatti, V.; Lodha, S. Phishy-a serious game to train enterprise users on phishing awareness. In Proceedings of the 2018 Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts, Melbourne, VIC, Australia, 28–31 October 2018; pp. 169–181. [Google Scholar]
  28. Talib, S.; Clarke, N.L.; Furnell, S.M. An analysis of information security awareness within home and work environments. In Proceedings of the 2010 International Conference on Availability, Reliability and Security, Krakow, Poland, 15–18 February 2010; IEEE: Piscataway, NJ, USA, 2021; pp. 196–203. [Google Scholar]
  29. Kajzer, M.; D’Arcy, J.; Crowell, C.R.; Striegel, A.; Van Bruggen, D. An exploratory investigation of message-person congruence in information security awareness campaigns. Comput. Secur. 2014, 43, 64–76. [Google Scholar] [CrossRef]
  30. Yasin, A.; Liu, L.; Li, T.; Fatima, R.; Jianmin, W. Improving software security awareness using a serious game. IET Softw. 2019, 13, 159–169. [Google Scholar] [CrossRef]
  31. Aladawy, D.; KBeckers; Pape, S. Persuaded: Fighting social engineering attacks with a serious game. In Proceedings of the Trust, Privacy and Security in Digital Business: 15th International Conference, TrustBus 2018, Regensburg, Germany, 5–6 September 2018; Proceedings 15. Springer: Berlin/Heidelberg, Germany, 2018; pp. 103–118. [Google Scholar]
  32. Bada, M.; Sasse, A.M.; Nurse, J.R. Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv 2019, arXiv:1901.02672. [Google Scholar]
Futureinternet 16 00294 g001
Figure 1. Technology Acceptance Model (TAM) and its external factors. Based on refs. [2,3].
Figure 1. Technology Acceptance Model (TAM) and its external factors. Based on refs. [2,3].
Futureinternet 16 00294 g001
Futureinternet 16 00294 g002
Figure 2. PRISMA flow diagram outlining the searching and screening process.
Figure 2. PRISMA flow diagram outlining the searching and screening process.
Futureinternet 16 00294 g002
Futureinternet 16 00294 g003
Figure 3. Cybersecurity training acceptance model (CTAM).
Figure 3. Cybersecurity training acceptance model (CTAM).
Futureinternet 16 00294 g003
Table 1. Description of the TAM’s external factors.
Table 1. Description of the TAM’s external factors.
FactorDescription
AttitudeA person’s general attitude towards a technology or group of technologies will impact their adoption of it
AnxietyUsers who are anxious about using computers are less prone to adopt new technology
Social NormsThe perception of whether others think that it is good to adopt a technology
AccessibilityUser access to hardware and the ability to retrieve desired information impacts user acceptance
Social PressurePressure from others to adopt a technology or not
Management supportThe degree to which management supports the use of a technology by providing resources and acting as a change agent
End User SupportA technology is more likely to be adopted if support for users and IT staff is available
Facilitating ConditionsUser acceptance is impacted by a user’s perception of how well the use of a technology is supported by resource factors such as time, money, and systems support
Perceived QualityHow well a system is perceived to perform, with regard to job goals, impacts user acceptance
Perceived EnjoymentA technology which is perceived as enjoyable to use is more likely to be adopted by users
Self-EfficacyA user’s perception of their own ability to use a system will impact their acceptance of that system
ComplexityA technology which is perceived as difficult to use is less likely to be adopted
RelevanceUsers are more likely to adopt technology they perceive as beneficial for their job performance
ImageUsers are more likely to adopt technology which is perceived to improve their social status
Social PresenceA technology that allows users to experience the presence of others in a digital environment is more likely to be adopted
Result DemonstrabilityIf the impact of using a technology can be communicated to others and is observable, the user is more likely to adopt it
VoluntarinessUsers are more positive towards a technology which is perceived as being voluntary and/or free to use
InnovativenessInnovativeness increases a person’s willingness to test new technology
TrialabilityThe possibility of testing a technology increases the likelihood of it becoming adopted
VisibilityA technology which is more visible in the organisation is more likely to be adopted
UsabilityA technology which can be objectively shown to be usable is more likely to be adopted
PlayfulnessA technology which is perceived as fun to use is more likely to be adopted by users
Perception of External ControlA user’s perception of how well the organisation will support the use of a technology impacts the user’s acceptance of that technology
ExperiencePrior experience of a technology or similar technologies will impact users’ acceptance
Relative AdvantageA technology which is perceived as better than similar technologies is more likely to be adopted
Table 2. Included publications and factors discussed.
Table 2. Included publications and factors discussed.
PaperDirectly Researched FactorsIndirectly Researched Factors
Shukla et al. [10] Relevance, Experience, Management Support, Facilitating Conditions
Abawajy [11]InnovativenessUsability
Mokwetli and Zuva [12] Management Support, Relevance, Regulatory control
Dang-Pham et al. [13]Trust, Social Presence
Alhalafi and Veeraraghavan [14] Perceived Quality, Usability, Social Norms and Pressure, Facilitating Conditions, Accessibility
Lui and Hui [15] Self-efficacy
Bryan Foltz et al. [16]Attitude, Apathy, Social NormsComplexity
Gadzama et al. [17] Management Support
Hart et al. [18]Perceived Enjoyment, Relevance
Ma et al. [19]Perceived Quality, Social Norms, Perceived Enjoyment
Rhee et al. [20]Self-efficacy
Potgeiter et al. [21] Usability, Relevance
Reeves et al. [22] Experience, Perceived Quality, Social Norms, Perception of External Control
Kävrestad et al. [23]Facilitating Conditions, Relative Advantage, Worry
Shillair [24] Innovativeness, Relevance, Result Demonstrability
Shen et al. [25] Perceived Enjoyment
Jin et al. [26] Perceived Enjoyment
Gokul et al. [27] Perceived Enjoyment
Talib et al. [28]Perception of External Control
Kajzer et al. [29] Image, Social Presence, Attitude, Self-Efficacy
Yasin et al. [30] Perceived Enjoyment
Aladawy et al. [31] Perceived Enjoyment
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Fallatah, W.; Kävrestad, J.; Furnell, S. Establishing a Model for the User Acceptance of Cybersecurity Training. Future Internet 2024, 16, 294. https://doi.org/10.3390/fi16080294

AMA Style

Fallatah W, Kävrestad J, Furnell S. Establishing a Model for the User Acceptance of Cybersecurity Training. Future Internet. 2024; 16(8):294. https://doi.org/10.3390/fi16080294

Chicago/Turabian Style

Fallatah, Wesam, Joakim Kävrestad, and Steven Furnell. 2024. "Establishing a Model for the User Acceptance of Cybersecurity Training" Future Internet 16, no. 8: 294. https://doi.org/10.3390/fi16080294

APA Style

Fallatah, W., Kävrestad, J., & Furnell, S. (2024). Establishing a Model for the User Acceptance of Cybersecurity Training. Future Internet, 16(8), 294. https://doi.org/10.3390/fi16080294

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop