An Adaptive Cybersecurity Training Framework for the Education of Social Media Users at Work

: Formalizing the approach towards risk management on social media is critical for organizations. Regrettably, a review of the state-of-the-art on cybersecurity training highlighted that the existing frameworks are either too generic or too cumbersome to be adapted to different organizations and needs. Thus, we developed the Adaptive Cybersecurity Training Framework for Social Media Risks (ACSTF-SMR), a framework that incorporates social media cybersecurity policies and best practices. The ACSTF-SMR enables organizations, trainers, and policymakers to address the challenges posed by social media in a way that satisﬁes employees’ training needs and adjusts to their preferences. We tested the ACSTF-SMR with 38 case studies. Employees’ behaviors, learning, and responses after training were assessed, and feedback was gathered to improve the framework. Interviews with policymakers were held to gain insight into the enforcement of social media policies. We conclude that the ACSTF-SMR is a reliable option to mitigate social media threats within organizations.


Introduction
Social media has transformed the communication landscape, although this has been at the expense of imminent dangers.Given that social media is based on the notion of community and relationships, its very nature means that users are expected to trust in each other and interact.Unfortunately, uncontrolled trust and thoughtless interaction may lead to vulnerabilities, which are often exploited by hackers [1,2].
Researchers have argued that most organizational incidents result, either directly or indirectly, from human errors, and this seems to be the case for cybersecurity incidents too [3][4][5]-according to the 2020 Data Breach Investigations Report, humans play an important part in cyber threats [6].Regrettably, the awareness of cybersecurity threats seems relatively low, particularly in relation to social media.
Employees need to learn how much information they can share on social media without taking unacceptable risks for the organizations for which they work [7][8][9][10].Improving the security and privacy of employees on social media is vital, and such improvements must match the continuous evolution of technology [9].Social media was not designed with built-in defenses [11]; therefore, its users are easy targets [12].
Many organizations have chosen to cope with social media risks in a reactive manner, rather than proactively controlling them [13].Typically, social media policies are in place in organizations [14], although such policies do not necessarily seek to raise the awareness of the employees [15].
Although employee awareness is the first line of defense for information systems [12], the existing training approaches do not consider the awareness of different types of employees and different levels of understanding.Moreover, pondering the effects of human factors while developing mitigation strategies to prevent cybersecurity risks is not common [16].One of the contributions of this paper is that it fills the resulting knowledge gap of identifying human factors that are responsible for aggravating cyber risks while using social media and providing an adaptable training framework to improve the knowledge and skills of the employees in organizations that use social media.
Many cybersecurity training frameworks face issues due to the trainees' perceptions.The training and instructional materials on awareness, or any other cybersecurity topic within an organization, rarely consider the employees' preferences for learning styles [2,17,18].In fact, organizational training frameworks are often perceived as time-consuming, non-inviting, or intimidating.We intend to alleviate these issues by creating a framework that takes into account the preferences of the employees.However, we must start by identifying such preferences, so that we can offer a proper mix of delivery approaches; this has been deemed to be not only advisable but indispensable [19][20][21].We propose the development of a new training framework such as the one suggested by Creswell [22], which can be used to test our ideas, collect research data, and examine various hypotheses.Our work makes the following contributions:

•
A framework to develop cybersecurity training that is adaptable to the needs and preferences of different employees within an organization; • A single and simple online guide to social media policies and the best security practices for organizations; • A collection of compliance reports considering employee risk levels to support mitigation strategies.
This paper is organized as follows.Section 2 introduces the background for our work by providing a review of previous work and a comparison between the existing approaches and what we have done.Section 3 presents the framework methodology, which extends the methodology proposed by Schürmann et al. [20].Section 4 includes an evaluation of our framework (ACSTF-SMR).Section 5 discusses training and social media policies from the perspective of policymakers.This is largely to fill the gap between the literature and practical experience.We complemented our work with 11 semi-structured interviews with policymakers who are involved in cybersecurity education and organizational training.Finally, Section 6 presents our conclusions.

Background
Previous studies have found that human factors-such as age, education, job role, behavior, and attitudes-affect an employee's awareness of cyberattacks within the organizations they work.Thus, we started our investigation by looking at the research on human factors that had been carried out before.Table 1 summarizes our findings from the existing literature.Afterwards, we present a detailed description of how our work compares to former developments.

Age
Younger employees have a higher chance of being victims of cyberattacks than older peers [23,24].
Cybersecurity training is more vital for older people than younger peers [25,26].
People between 18 and 25 are more exposed to social media phishing than others [27].

Background
Employees with technological backgrounds are more familiar with cyber threats than others [28].

Job Role and Sectors
Job roles are a vital factor associated with cybersecurity risks [29].
The financial sector is the most frequent target of cyberattacks [31].

Behavior and Attitudes
People who use social media for exchanging information are more likely to be victims of cyberattacks [32].
People who ignore security-related warnings are more likely to be victims of cyberattacks [23].
To compare our work with former developments, we have produced Table 2, which offers more details of the advantages provided by the existing approaches, their drawbacks, and how our work compares to them.Hadlington [23] suggests that younger people are more vulnerable to phishing attacks than older ones.
Although we agree with Hadlington, we have not limited our analysis to phishing attacks, and we attempt to correlate different age ranges with other cybersecurity issues that are also part of social media.

Benefits Drawbacks
A person's individual background and prior work experience play a vital role when addressing cybersecurity risks, as stated by Hatzivasilis et al. [24].
There was no previous study of the impact on cybersecurity of the background and work experience of employees enrolled in various sectors of the industry.This is what we have done, and what we encourage other researchers to do in the future.

Benefits Drawbacks
Nifakos et al. [30] argued that healthcare professionals-such as doctors, nurses, and medical support staff-pose higher risks to their organizations when they interact with social media platforms.
While we generally agree with Nifakos et al.'s observations [30]; healthcare is not the only sector in the industry that is at risk on social media.We are also interested in other sectors.Thus, we collected information from employees working in a wide range of organizations performing many different roles.We found that employees working in financial operations face a very high risk level [34], which agrees with recent estimates that the financial sector is the preference of choice for attackers-44% of the cyberattacks occur within the financial sector [31].
The present investigation involves a comprehensive review of the frameworks found in the literature.The objective is to critically evaluate these frameworks to come up with an optimal solution for the creation of an adaptive training strategy.As a result of the scarcity of research that accounts for human factors in cybersecurity, our review is confined to the cybersecurity training models presented in Table 3.

Framework/Model Pros Cons
Cybersecurity Culture Guidelines: Behavioral Aspects of Cybersecurity [2] The consideration of human factors in cybersecurity is of the utmost importance, necessitating regular assessments of employees to ensure their sustained knowledge in this domain.
The primary emphasis of this framework is a broad understanding, rather than focusing on awareness inside the realm of social media.

Competency Development and
Assessment Framework [35] When providing cybersecurity training, it is crucial to consider the various roles performed by every employee within the organization and to consistently prioritize evaluation.
The assessment was conducted using a singular training methodology (namely, the "capture the flag" game).
Mission Cybersecurity Framework [36] The significance of prioritizing policies as a foundational element for training.
The framework provided is rather broad and needs a specific emphasis on promoting awareness regarding social media.

Holistic Cybersecurity Maturity
Assessment Framework [37] A comprehensive analysis of the process involved in designing and implementing web-based evaluations, with a specific focus on their use as a benchmark for decision-making purposes.
The framework needed to adequately account for the distinctiveness of social media users at work concerning the organizational context.
TET Framework [38] Prior to developing a successful cybersecurity training program, it is imperative to start with an evaluation of the individual employee's knowledge.
The approach does not fully account for employees' perceptions, attitudes, and preferences for training.
Cybersecurity awareness [39] When developing cybersecurity training programs, it is essential to consider the learners' existing knowledge levels and human factors and emphasize behavior changes among the trainees.
The framework addresses concerns in a broad sense, with a specific focus on the capabilities and behaviors of trainees, although it does not consider social media risks.
Behavior Change Wheel Framework (BCW) [19] Understanding the theoretical foundations of behavior change, identifying appropriate assessment methods, and ensuring the assessment is valid and reliable.
The validation was limited to the medical field and did not specifically address risks arising from social media.
Cybersecurity Culture Model [40] This model aims to augment the comprehension and involvement of users in relation to cybersecurity policies, while considering a cybersecurity culture.
The framework places emphasis on the overarching culture of cybersecurity, without delineating any precise details of the approach.
NIST Framework [41] Established standards, guidelines, and best practices in the field of security, with a primary objective of safeguarding critical infrastructure.
The framework disregards the influence of human factors in cybersecurity.

Social Media Risk Management Model [13]
A conceptual framework aimed at delineating and differentiating four key components of social media risk management.
The framework offers a broad perspective, rather than an adaptive training framework to enhance employee awareness.
The existing cybersecurity training frameworks for social media are largely generic, and in some cases cumbersome to implement.It is debatable if such frameworks can be adapted for all employees, considering their varying levels of knowledge, backgrounds, and preferences.While the European Union Agency for Cybersecurity (ENISA) has recommended a framework that considers human aspects [2], it primarily focuses on general awareness instead of social media awareness, which is what we intend to produce.
According to the ENISA [42], an effective cybersecurity training session should include an introduction, real-life stories, videos, games, group activities, and competition among learners.It is also important to include an analysis of real case studies and an explanation about why certain policies have been enacted.Avoiding technicisms and conveying short and clear messages are critical aspects too [43].Bada and Nurse [15] have discussed the importance of training methods that are free of complexity and easy to comprehendtraining simplicity leads to training success [44].
Brilingaite et al. [35] highlighted the importance of considering non-technical employees while selecting a training approach.However, their framework has limitations because it is based on gaming; hence, it may be appealing only to certain age brackets.Our framework stems from the need to consider different approaches, knowledge levels, and preferences, as highlighted previously by Salamah et al. [34].
Ki-Aries and Faily [45] carried out an experiment to ascertain people's preferences for video-based, game-based, or text-based training approaches.They found out that merging different approaches produces better outcomes than using only one.Thus, we aim to offer as many training options as possible, although we are aware of the complexities and demands of offering a variety of delivery methods in real-world scenarios [46].
Furnell and Vasileiou claimed that training is more effective when employees feel that it is tailored to them [33].Therefore, training should be customized to organizations and circumstances [47], such as business needs, budgets, missions, and cultures [15].That is exactly what we want to do, although in the context of social media risks, which has not been contemplated in detail in previous work.
Cybersecurity training needs to be based on the roles of the employees and their responsibilities within the organization [24].However, the depth of the training may vary, as some employees need only basic knowledge and others need a thorough understanding.Hence, our framework begins with the identification of the requirements for training.
Demek et al. [13] argued that employees need to be trained thoroughly on cyber policies, and these policies need to be clear and easily enhance their effectiveness.Thus, as we will discuss later, our framework is based on simple and unambiguous questions derived from recommended policies and best practices.
Dawson [36] also highlighted the importance of policies in cybersecurity.Nevertheless, Dawson's framework is too generic and does not focus on human aspects [36].Aliyu et al. [37] presented a cybersecurity assessment tool for higher education institutes but failed to consider the employees separately from the organization.As opposed to Aliyu et al. [37], we intend to prioritize the individuals and concentrate on social media.
Zhang et al. [21] pointed out that cybersecurity training is a long-term investment, and organizations must make sure that it does not become generic.Individual employees have different responsibilities within the organization [34], and their cybersecurity awareness and knowledge levels vary too.Although it is commonly accepted that one-size-fits-all training approaches fail [21], few studies have looked at how the training should be tailored in the context of social media, which is what this study aims to accomplish.
Among the existing frameworks to raise cybersecurity awareness, the study by Wang et al. [36] deserves careful consideration.Wang et al. [36] believe that training should be based on the employees' knowledge.Whilst we agree with this, we also think that the training needs to be based on the employees' preferences, perceptions, attitudes, and demographics.
Attention needs to be paid to the trainers too.The trainers play a huge role in increasing the enthusiasm towards the learning process [35].Indeed, the ENISA has worked on enhancing network security by raising the knowledge of the trainers [48].Researchers argue that having qualified and skilled trainers is a must [49].
Regarding testing and evaluation, Alshaikh et al. [19] validated their work in the medical domain, although we will validate our work in other industries too, such as the financial sector, and we have collected information from employees in various organizations.

Methods
The ACSTF-SMR follows the methodology proposed by Schürmann et al. [20], which defines the three fundamental steps for cybersecurity training.The first step consists of analyzing the target group to identify their roles and responsibilities.The second step involves risk assessment, and the third step identifies gaps and vulnerabilities.The development of the training material and the evaluation of the training program are additional steps that complete the entire process.
Taking Schürmann et al. [20] as our starting point, we propose a training framework consisting of four steps, as shown in Figure 1.Our first step identifies the target audienceemployees' backgrounds are determined here, including their job roles, age, education, work experience, and patterns of social media usage.We will consider the employees' preferred training methods to ensure our training is adaptable [34].
worked on enhancing network security by raising the knowledge of the trainers [48].Researchers argue that having qualified and skilled trainers is a must [49].
Regarding testing and evaluation, Alshaikh et al. [19] validated their work in the medical domain, although we will validate our work in other industries too, such as the financial sector, and we have collected information from employees in various organizations.

Methods
The ACSTF-SMR follows the methodology proposed by Schürmann et al. [20], which defines the three fundamental steps for cybersecurity training.The first step consists of analyzing the target group to identify their roles and responsibilities.The second step involves risk assessment, and the third step identifies gaps and vulnerabilities.The development of the training material and the evaluation of the training program are additional steps that complete the entire process.
Taking Schürmann et al. [20] as our starting point, we propose a training framework consisting of four steps, as shown in Figure 1.Our first step identifies the target audience-employees' backgrounds are determined here, including their job roles, age, education, work experience, and patterns of social media usage.We will consider the employees' preferred training methods to ensure our training is adaptable [34].The communication with the employees, the quizzes, and the training were all carried out in the English language.Due to the nature of our investigation and given that we were required to store and analyze details about the employees' work and their demographics, we had to undertake the ethical review process stipulated by the The communication with the employees, the quizzes, and the training were all carried out in the English language.Due to the nature of our investigation and given that we were required to store and analyze details about the employees' work and their demographics, we had to undertake the ethical review process stipulated by the University of Plymouth (Plymouth, UK), which is where we were based while conducting our research.
The ethical review was recorded through the Plymouth Ethics Online System (PEOS) (Plymouth, UK) [50], and the approval was granted on 5 September 2020.Abiding by the University of Plymouth's ethical approval policy, the survey to gather information about the participants was conducted in anonymity.
The thirteen training approaches that we offered to the employees are listed in Table 4.We provided a wide range of options to cater for as many preferences as possible.

Awareness Raising Events
Occasional events at which employees are invited to increase their awareness and knowledge of cybersecurity risks on social media.

Email
Messages sent from management or training coordinators to the employees to deliver cybersecurity information, warnings about new or specific threats, etc.

Games
Software or classroom games that facilitate engagement and participation.

Incentives
Concessions or benefits offered to promote "good" behavior and discourage "bad" behavior.

Mock Attacks
Training which imitates various forms of cyberattacks as a way of preparation.Cyberattacks may include phishing tests, sharing virus-infected devices, etc.

Online Training Course
Training which can be attended individually at convenient times.

Posters
Large printed pictures that include tips on useful resources, overviews of threats, information about new risks, advice, and suitable contacts within the organization.

Social Media Posts
Alerts posted on social media platforms about specific threats, good practices, and useful resources.

Stories
Real-life stories that can be printed on flyers, told in videos, or during online sessions.

Tip Sheets
Short lists providing easy access to key information about cybersecurity.

Videos
Recordings featuring references to good practice to demonstrate correct responses to cyber threats.

Webinars
A seminar conducted over the Internet, which can be recorded and saved in an accessible place-for example, the organization's Intranet for those who could not attend or want to revisit aspects of the talk.

Workshop
In-class training where the employees interact with others and ask questions.
Our second step evaluates the risk levels of each individual employee following the recommendations of the National Cyber Security Centre (NCSC) [51] and its best practices for social media [52].To do so, employees take a quiz to assess their knowledge and skills, and we collect the data that we use to determine what sort of training is needed and how it will be delivered.
Using a risk assessment tool is a cornerstone of our framework.Our risk assessment tool is based on two main factors, the target group (TG) and awareness (A).To explore the awareness factors, the questions in our quiz assess the employees' level of knowledge regarding best practices for social media.The quiz is designed to estimate the three security risk awareness levels: high, moderate, and low [20].The parameters used to develop the quiz are listed below:

•
Hacking challenges; An organization's training program will be based on the awareness scores that the employees are awarded.An awareness score indicates how much knowledge an employee has of social media best practices.The score is made up of three components:

•
Knowledge: The knowledge of the employee about safe behavior on social media; • Behavior: The behavior of the employee in response to cybersecurity incidents; • Attitude: The attitude of the employee about the importance of following the best practices recommended.
To calculate the score for each employee, the quiz includes ten generic cybersecurity questions and five questions for each independent social media platform-five questions for Facebook, five for Instagram, and so on.Employees select the questions they answer based on their social media needs within their organizations-for instance, some employees may only use Facebook, whereas others may combine Facebook with Instagram.
The design is our third step, as indicated in Figure 1.The design involves the creation of a training program that respects the employees' preferences and fulfills their needs for knowledge, behavior, and attitude improvement.This is the main difference between our work and other existing frameworks [13,36,38].This is the step where we can make use of human factors that we have identified as responsible for aggravating cyber risks and suggest mitigation strategies.This is also the step where we can cater for the employees' preferences and learning styles.
Finally, the fourth step of our proposed framework consists of evaluating the adaptive cybersecurity training program designed in the previous step, based on all of the information collected so far.After the training has taken place, we will gather feedback about the training materials and delivery, so that we can make improvements.

Validation Strategies
A framework's validity is established when it effectively achieves its objectives [53,54].To verify that the ACSTF-SMR has achieved its objectives, we employ case studies, surveys, and interviews.

Case Studies
Case studies are guiding tools for identifying issues observed in actual scenarios [55].Our suggested framework has been tested empirically through case studies to find evidence to support the outcomes of a training program.The ACSTF-SMR has been applied to various employees with different roles and backgrounds in Kuwaiti organizations that form parts of our case studies.
Even though we only obtained information from Kuwaiti employees, Kuwait's conditions helped us acquire a thorough understanding of some of the global cybersecurity issues.Kuwait is among the five Arab countries that use social media the most [56].In addition, it is ranked eighth for email hacking and sixth for spam attacks [57].Thus, focusing on Kuwait's case can provide us with invaluable insight into cybersecurity issues in Arab nations and globally.

Survey and Interviews
An online survey was conducted to get employees' feedback on the training program's structure and content.The survey concluded with open-ended questions to provide employees with an opportunity to expand further on their comments or clarify their views.Moreover, the trainer also recorded the employees' reactions during the training sessions that were organized online.
To avoid falling into the trap of basing business decisions on skewed survey results, we prevented selection and response bias in the following ways [58]:

•
Selection bias: We gathered feedback from all those involved in our training program, namely the employees who were included in the study, the training providers, and the policymakers.This meant that no group was left out of the survey, which addressed any possible sampling bias.Additionally, we asked everyone to take our survey immediately after the training was completed, while they could still recall their experience.Given that we received answers from all the stakeholders involved-this was encouraged by ensuring everyone that the survey was anonymous-we can confirm that a non-response bias did not affect our analysis either.

•
Response bias: To prevent acquiescence bias, we avoided questions that only allow a "yes" or "no" answer because they do not provide sufficient levels of nuance.Instead, we employed a Likert response scale that does not lend itself easily to acquiescence bias [59].Employees were asked to rate our different training components on a scale of 1 to 5 and to indicate their agreement with some statements about the training program.

Validation Process
To validate the ACSTF-SMR, we separated the employees into two groups: the first group received customized training and the second group received standard training.After the training was completed, we reassessed the employees' awareness.
We evaluated the outcomes of the training program.A statistical t-test [60] was used to determine if the training achieved its purpose.Additional questions asked after completing the training were designed to gain feedback and improve future delivery.

Results
An invitation was sent by email to 250 employees working across various industries in Kuwaiti organizations to participate in an experimental study where we offered to train employees on cybersecurity risks present on social media.The text of the invitation included information about the training that we were providing, how long it would take to complete it, and their right to withdraw from the study at any time.
A total of 80 employees out of the 250 who received our invitation responded and completed the initial evaluation.Once the initial evaluation was submitted and we had returned to the respondents a report stating how proficient they were on the use of social media at work, we invited them to join our training.Only 38 of them agreed to be trained.Table 5 provides information about the 38 employees who received our training.The 38 participants were offered the choice to receive the type of training that they wanted, and they were split into two groups.The first group consisted of 24 people, and they were given customized training.The remaining 14 were included in the second group and were provided with standard training.

Customized Training
To accommodate for all participants' needs and preferences, 24 customized training sessions were designed.A total of 11 of the 24 participants who preferred customized training sessions chose to attend in person, while 12 of them preferred to watch videos in their own time to improve their skills.Each video lasted between 5 and 8 min and showed graphs, images, and brief descriptions to explain common risks and errors committed while working on social media platforms.
Only one of the 24 participants chose to learn through posters, and posters were created for her.However, owing to the restrictions imposed by the COVID-19 pandemic, the 11 participants who chose to attend the sessions in person had to attend them virtually in the end.The virtual training sessions were conducted via Zoom, the online meeting platform (https://zoom.us/accessed on 21 August 2023).
The customized training sessions increased the cybersecurity knowledge and skills of all participants.The types of training preferred by the participants, the types of training that we delivered, and the pre-and post-training scores are all shown in Table 6.It should be noted that the quiz for some employees was longer than for others because some employees required training for more than one social media platform.
A statistical t-test [60] was performed to further compare the two groups-pre-and post-training.The confidence intervals for the two groups were set to 95% and 99%, respectively, which meant that p-values between 0.05 and 0.01, respectively, were considered statistically significant.The t-test results demonstrate that the training sessions increased the cybersecurity knowledge and skills of the participants.The mean difference between the pre-and post-training scores was 6.54.Thus, we can confirm that after the training was delivered according to the employees' needs, preferences, and perceptions, their knowledge and skills increased.All scores are visually represented in Figure 2. considered statistically significant.The t-test results demonstrate that the training sessions increased the cybersecurity knowledge and skills of the participants.The mean difference between the pre-and post-training scores was 6.54.Thus, we can confirm that after the training was delivered according to the employees' needs, preferences, and perceptions, their knowledge and skills increased.All scores are visually represented in Figure 2.

Standard Training
As stated earlier, 14 employees underwent a standard training program.This training also increased the knowledge and skills of the participants.However, the improvement after the training sessions was not as much as in the case of the customized training.The

Training Feedback
Training effectiveness can be reliably estimated through feedback [61].The employees' feedback indicates how satisfied they are with the training environment and the trainer's efficacy.Andriotis [62] emphasizes that the training feedback must be

Training Feedback
Training effectiveness can be reliably estimated through feedback [61].The employees' feedback indicates how satisfied they are with the training environment and the trainer's efficacy.Andriotis [62] emphasizes that the training feedback must be analyzed in terms of engagement, suggestions, comprehension, and effectiveness.Hence, we asked the employees the questions listed in Table 8; only anonymous feedback was accepted.Most of the employees who undertook the customized training were positive towards the training program.A total of 96% of them stated that the training had motivated them to learn more about the risks on social media and the tools that keep them secure.They also showed eagerness to educate others.Overall, they were satisfied.
The open-ended questions at the bottom of Table 8 created qualitative datasets to validate our framework's effectiveness.This gave us more insight into the employees' perceptions and views.Examples of the answers received for the question "What did you like the most about the training session?" appear in Table 9.

What Did You Like the Most about the Training Session?
"I enjoyed how obvious and straightforward the subject is!" "Information was provided simply and directly"."Explaining my typical mistakes and teaching me to adopt best practices were the key strengths of the session"."Receiving immediate feedback on my answers to the quiz is more beneficial than having to wait for the trainer to evaluate my responses and get back to me"."It was exceptional for me".
One of the employees suggested uploading the videos to YouTube-the online video sharing platform (https://www.youtube.com/accessed on 21 August 2023)-so that everyone can access them at any time.This shows how well received the training was and how much it is needed.Some of the employees who undertook the standard training also provided us with feedback for the open-ended questions at the bottom of Table 8, and examples of this are shown in Table 10.Additionally, two of the employees who undertook the standard training admitted that they did not complete the program; apparently, they did not like the posters and ignore them."More images and infographics are needed".
"Screenshots needed to be improved to show step-by-step the procedure we must follow".
"Quiz questions need to be clearer".

Discussion
To fill the gap between the literature and practical experience, we complemented our work with the employees with 11 semi-structured interviews with policymakers who are involved in cybersecurity education and organizational training.
Table 11 displays the background details of our interviewees, who came from different institutions in the state of Kuwait.As far as cybersecurity policies are concerned, our interviews allowed us to conclude that most organizations have such policies in place.However, they may not be clear about their significance in the context of social media.One of the interviewees told us, "Staff in my organization is totally in the dark".Another one said, "We are cautious about the secure use of the Internet, but hardly any policy is in place for social media".
Policymakers responsible for enforcing security policies have struggled with the mindsets of social media users."Putting policies in place is itself a daunting task", was said by one of the senior security officers interviewed.Another one argued that "organizational risk is reduced significantly by applying policies strictly without exception".Therefore, some of the policymakers think social media policies must be enforced as part of job descriptions and contracts.Regardless, changing individuals' attitudes on social media is not simple, and our interviewees considered this "a global issue" not limited to Kuwait.

Conclusions
The framework provided here is a novel approach to generating adaptive cybersecurity training to mitigate social media risks within organizations.The framework starts by assessing an employee's level of awareness of social media threats, and then proceeds to increase their knowledge and skills.Our goal is to assist organizations in preventing and addressing social media cybersecurity-related risks.
While the framework's development is an ongoing process, it contributes to raising general awareness.Risk assessment tools can assist organizations in firmly establishing risk mitigation plans.Our Adaptive Cybersecurity Training Framework for Social Media Risks (ACSTF-SMR) provides a methodology for organizations, trainers, and policymakers to approach the challenges of social media cybersecurity training.
To determine the efficiency of the adaptive training, the employees were divided into two groups.The first group received customized training, whereas the second received standard training.The customized training took into account each employee's needs, preferences, views, and level of knowledge.The t-test was used to compare the results before and after training, revealing that customized training is superior to standard training.
The employees' feedback was collected by administering a questionnaire.We captured quantitative and qualitative feedback on the training program.Andriotis' evaluation approach was used to assess the feedback we received.The results establish that the ACSTF-SMR can mitigate social media threats in organizations.
While our study met its objectives, it had limitations that must be acknowledged.Human behavior is unpredictable and must be improved through training, as employees are the weakest link in cyberattacks.However, understanding human behavior as part of social media interactions in different geographical locations and different sociocultural backgrounds is a comprehensive task that cannot be approached in the short term.While this study provides the basis for future work, forthcoming research should confirm that the proposed framework can be validated in various geographies.
We emphasized respecting the preferences of employees.However, newcomers may not be able to make some choices simply because they are not acquainted with the different options.Thus, the future research should also focus exclusively on those with previous experience with more than one training method and find ways to identify why some methods are more adaptive than others.

Figure 2 .
Figure 2. Scores for the employees who undertook customized training.

Figure 2 .
Figure 2. Scores for the employees who undertook customized training.

Figure 3 .
Figure 3. Scores of the employees who undertook standard training.

Figure 3 .
Figure 3. Scores of the employees who undertook standard training.

Table 1 .
Findings linking cyber threats with human factors.

Table 2 .
Comparison with previous work.
Furnell and Vasileiou did not study the problem specifically within the context of organizations with a presence and operations on social media, which is what we intend to do.

Table 3 .
Advantages and disadvantages of existing frameworks.

Table 5 .
Background of the participants of our study.

Table 6 .
Employees who participated in customized training.
Suggestions•What did you like the most about the training session?•What can be improved?

Table 10 .
Standard training feedback.

Table 11 .
Policymakers and cybersecurity educators' background details.