How User Training Can Be Used to Strengthen the “Weakest Link” in the Chain of Protection Against Cybercrime †
Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases, 9, Ciudad Universitaria, 28040 Madrid, Spain
*
Author to whom correspondence should be addressed.
†
Presented at the First Summer School on Artificial Intelligence in Cybersecurity, Cancun, Mexico, 3–7 November 2025.
Eng. Proc. 2026, 123(1), 38; https://doi.org/10.3390/engproc2026123038
Published: 9 February 2026
(This article belongs to the Proceedings of First Summer School on Artificial Intelligence in Cybersecurity)
Abstract
According to the most recent reports from the Ministry of Interior, a large percentage of computer crimes committed in Spain correspond to fraud. By analysing the components that are involved in such crimes, we find that a primary component is participation, whether that be in a voluntary or involuntary and unnoticed way, as it is with some of the victims. We then analyse a proposal to incorporate instructional components within the academic frameworks of several degrees in computer science, with the aim that the new professionals in such areas can become educators for and leaders of the prevention against cybercrimes and thus increase protection for both individuals and institutions against attempts of deception and other computer crimes.
Keywords:
cybersecurity; weaknesses; training; awareness; end user; threats; computer crime; computer fraud1. Introduction
Currently, one of the main issues of recurring concern is undoubtedly cybersecurity; day by day it is talked about in the media and is part of countless conversations around the issues that concern the general population [1]. According to the General Directorate of Coordination and Studies of the Secretariat of State (Spain) [2], there has been an increase of 26% compared to 2022, constituting a total of 472,125 criminal acts, and this is only those known to the corresponding authority. Of the crimes mentioned above, a large majority corresponds to the modality of computer fraud, because computer fraud requires either deceiving a naive user, or transgressing the protection barriers that some other user did not fortify in the most effective way. Due to the enormous complexity, they have a much lower occurrence, since they come from attackers with much greater preparation and respond to very targeted aspects. In this text, we will focus on computer fraud. This paper is organized as follows: This Section explains the current state of the field and the reason for the study (Section 1). The findings are described in Section 2. Lastly, the paper’s conclusion and future research directions are covered in Section 3.
2. Development
Of the criminal acts known to the authorities, the majority are computer fraud (see Figure 1), which constitutes cyber threats such as phishing, smishing, malware, ransomware, fake ecommerce, and even identity theft, mainly aimed at violating the information contained in the user’s devices. Mostly, this involves the (most commonly inadvertent) participation in, or facilitation/participation of, an authorized user; therefore, it is imperative to understand and take actions directed against this type of crime [3].
The different types of threats in the computer fraud group mainly use the strategy of “tricking” the victim into taking some course of action. In addition, there is also the virtual hijacking of computers or information and the creation of profiles that are either completely false, or imitating the identity of a person [4].
We can also assert that there are some factors that contribute to the success of the undertaking of fraud, such as the following [2]:
- Misinformed people.
- Fragmented or incorrect information, largely encouraged by the proliferation of so-called “Fake News”.
- Smear campaigns and threats to spread them.
- Access to systems and resources of institutions with few security measures.
- User dissatisfaction with strong passwords and two-factor authentication.
- Poor ability to detect the authenticity or falsity of messages or requests for action [5].
It can be asserted with sufficient certainty that having observant, analytical, and trained users with awareness of the uses of computer resources at their disposal could result in a significant reduction in the risk of suffering computer fraud.
The training of users is of utmost importance, since they are the weakest link in the data protection chain, mainly due to factors such as the convenience of frequent use of resources, as well as the complexity of computer systems, which is unknown and often ignored. In addition, user awareness is key, since some of the major cyberattacks have been detected thanks to a “I think something is wrong” correctly reported by an end user. Some of the sources consulted even recommend periodically carrying out risk perception assessments of users as well in order to be able to predict their behaviour in the face of potential vulnerabilities [6].
The situation gains relevance when we analyse the entire population of users of web services and we see that it is distributed almost equally among age groups between 26 and 65 years old, leaving in second place the two extremes in age, users between 18 and 25 and over 65 (see Table 1).
These data allow us to infer that the population in the active working stage is potentially more likely to be a victim of computer fraud, or to be exposed to a greater risk of being attacked by one of the offenders of the aforementioned crime. In the business field, where the number of personnel with professional training in the field of computing is significantly lower, no source currently refers to any training program for users without specialization in computers, specifically in the area of cybersecurity. From the above, the core proposal lies in the implementation of IT professionals as trainers in the field of information security in each of their work environments.
2.1. The Role of the “Insider”
Users who have some level of access to the organization’s resources are defined as “insiders”, since they are affiliated to the organization and this affiliation can used for external purposes, which has the potential to be harmful to the organization. Such events can occur with the knowledge (and complicity) of the employee, although they can also inadvertently and carelessly “leave open” some doors for the entry of threats [7].
Each user who has a certain level of access to computer resources can become an “insider”, due to their level of knowledge of the security measures of the systems, as well as the degree of caution they have with security regulations and good practices with access data and devices [8].
Such a user can be of two types, a malicious user whose purpose is to cause damage to the organization, or a user who unintentionally commits some oversight or omission and compromises the security of computer resources, thus facilitating the obtrusion of external organizations that do have the intention of violating the company [8].
2.2. About the Training
Using the analysis, employees in most organizations must use electronic devices, which may or may not be connected to various systems and/or databases, so a number of mechanisms are proposed for user training, including seminars, online training, videos, emails, posters, and even gamified exercises that evaluate their susceptibility to threats.
The choice between the training programs can always be adapted according to the needs of the organization, as well as the periodicity of them, according to factors such as the size of the organization and the availability of time for such training.
The suggested training topics of greatest relevance at the time of writing this document are the following: (i) information privacy, (ii) software vulnerabilities, (iii) environment vulnerabilities, (iv) malicious code (viruses and their derivatives), (v) spyware, (vi) ransomware, and (vii) consequences of a cyber attack [6].
2.3. The Trainer
Mainly in medium and small organizations, it may seem unfeasible to add one more task to the staff of that department; however, it is also important to recognize that this area requires knowledge about the protection status of the data and the systems of the organization.
The IT branch of organizations should guarantee professional training (bachelor’s or master’s degree) in any of the areas of computer science that allow them to be aware of the assets which they are responsible for. These specialities almost entirely lack competencies that belong to the field of training, so a substantial majority of professionals in the field of computer science have the knowledge that needs to be transmitted but lack the tools and strategies to transmit it correctly [9]. The likelihood of having computer professionals with extensive knowledge in cybersecurity on top of possessing pedagogical/training skills is enormously low, and cannot meet the needs of a constantly growing sector.
3. Conclusions
The incidence of computer crimes, mainly fraud, has been steadily increasing in recent years. The age group most likely to suffer from it is those who are in the active working stage (26 to 65 years old). Most non-IT staff in organisations do not have any training in cybersecurity. A large number of cyberattacks occur with the (perhaps inadvertent) help of an authorised member of the organisation. The training of users of all levels of training in cybersecurity areas will contribute positively to avoid unwanted access due to carelessness. IT professionals should be in charge of educating and training their colleagues on cybersecurity issues. There is a niche opportunity to strengthen the curricula of computer-based professions with a complement in pedagogy, thus enabling computer professionals to successfully carry out a training programme. Non-IT personnel properly trained and sensitised in cybersecurity issues (inadvertently) will contribute to the detection of anomalies and incorrect uses that occur around them. In the field of human resources, an applicant who can demonstrate prior training in cybersecurity issues will have a significant advantage in the competition against other applicants for the position.
Author Contributions
Conceptualization, J.A.P.Y., A.L.S.O. and L.J.G.V.; methodology, J.A.P.Y., A.L.S.O. and L.J.G.V.; validation, J.A.P.Y., A.L.S.O. and L.J.G.V.; investigation, J.A.P.Y., A.L.S.O. and L.J.G.V.; original draft preparation, J.A.P.Y., A.L.S.O. and L.J.G.V.; writing—review and editing, J.A.P.Y., A.L.S.O. and L.J.G.V. All authors have read and agreed to the published version of the manuscript.
Funding
This work was carried out with funding from the Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation EU), through the Chair “Cybersecurity for Innovation and Digital Protection” INCIBE-UCM. In addition this work has been supported by Comunidad Autonoma de Madrid, CIRMA-CM Project (TEC-2024/COM-404). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors. However, the opinions expressed are the sole responsibility of the authors and do not necessarily reflect those of INCIBE, the European Union, or the European Commission-EU. Neither INCIBE, the European Union nor the European Commission can be held responsible.
Institutional Review Board Statement
Not applicable.
Informed Consent Statement
Not applicable.
Data Availability Statement
Not applicable; this study does not report any data.
Conflicts of Interest
The authors declare no conflicts of interest.
References
- Domínguez, C. Es la ciberseguridad centro de preocupación: Tendencias. DATA, NUBE Y CIBERSEGURIDAD. Reforma, Negocios, 26 Agosto 2022. Available online: https://www.reforma.com/aplicacioneslibre/preacceso/articulo/default.aspx?__rval=1&urlredirect=https://busquedas.gruporeforma.com/buscar/reforma/documentos/VisorArticulos.aspx?idComptto=6&sIdIdentificadorParm=6s7976185d&idproducto=3&id=2327041&tipoElemento=/impresa/&text=Es%20la%20ciberseguridad%20el%20centro%20de%20preocupaci%f3n%20&imgUrl=https://hemerotecalibre.reforma.com/20220826/interactiva/RSNG20220826-006.JPG (accessed on 26 January 2026).
- Dirección General de Coordinación y Estudios, Secretaría de Estado de Seguridad. Informe Sobre la Cibercriminalidad en España; Ministerio del Interior, Gobierno de España: Madrid, Spain, 2023.
- Ciprian Birlea, M. Phishing Attacks: Detection And Prevention. arXiv 2020, arXiv:2004.01556. [Google Scholar] [CrossRef]
- González, J.A.L.; Granados, A.R. Delitos Informáticos: Su Clasificación y una Visión General de las Medidas de Acción Para Combatirlo; Universidad Autónoma de Nuevo León: San Nicolás de los Garza, Mexico, 2013; pp. 44–51. [Google Scholar]
- Acosta, M.G.; Benavides, M.M.; García, N.P. Delitos Informáticos: Impunidad Organizacional y su complejidad en el mundo de los negocios. Rev. Venez. Gerenc. 2020, 8, 351–368. [Google Scholar]
- Hernández, R.V.R.; Ibarra, C.M.J. Concientización y capacitación para incrementar la seguridad informática en estudiantes universitarios. Rev. Tecnol. Soc. 2018, Año 8, 14. [Google Scholar]
- Blackwell, C. Insider Threat: Combating the Enemy Within; IT Governance Publishing: Cambs, UK, 2019. [Google Scholar]
- Mazzarolo, G.; Jurcut, A.D. Insider threats in cyber security: The enemy within the gates. arXiv 2019, arXiv:1911.09575. [Google Scholar] [CrossRef]
- Harjinder, L.; Jane, S.; Mike, J.; Helge, J.; Blaine, P.; Richard, H. Pedagogic Challenges in Teaching CyberSecurity—A UK Perspective. In Proceedings of the 2014 IEEE International Conference on Communications and Computing, Sydney, Australia, 10–14 June 2014. [Google Scholar]
Figure 1.
Distribution of computer crime types.
Table 1.
Age distribution of victims.
| Age Group | Male | Female | Unknwon |
|---|---|---|---|
| Unknown Age | 159 | 160 | 20 |
| Minors | 2238 | 2651 | 7 |
| From 18 to 35 | 22,286 | 22,841 | 3 |
| From 26 to 40 | 43,843 | 48,973 | 14 |
| From 41 to 50 | 38,428 | 43,382 | 30 |
| From 51 to 65 | 44,921 | 45,049 | 40 |
| Over 65 | 22,895 | 16,650 | 20 |
| TOTAL | 174,770 | 179,706 | 134 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
MDPI and ACS Style
Portas Yáñez, J.A.; Sandoval Orozco, A.L.; García Villalba, L.J. How User Training Can Be Used to Strengthen the “Weakest Link” in the Chain of Protection Against Cybercrime. Eng. Proc. 2026, 123, 38. https://doi.org/10.3390/engproc2026123038
AMA Style
Portas Yáñez JA, Sandoval Orozco AL, García Villalba LJ. How User Training Can Be Used to Strengthen the “Weakest Link” in the Chain of Protection Against Cybercrime. Engineering Proceedings. 2026; 123(1):38. https://doi.org/10.3390/engproc2026123038
Chicago/Turabian StylePortas Yáñez, José Agustín, Ana Lucila Sandoval Orozco, and Luis Javier García Villalba. 2026. "How User Training Can Be Used to Strengthen the “Weakest Link” in the Chain of Protection Against Cybercrime" Engineering Proceedings 123, no. 1: 38. https://doi.org/10.3390/engproc2026123038
APA StylePortas Yáñez, J. A., Sandoval Orozco, A. L., & García Villalba, L. J. (2026). How User Training Can Be Used to Strengthen the “Weakest Link” in the Chain of Protection Against Cybercrime. Engineering Proceedings, 123(1), 38. https://doi.org/10.3390/engproc2026123038
