A systematic literature review of how cybersecurity-related behavior has been assessed

• Published in: Information and computer security Vol. 31; no. 4; pp. 463 - 477
• Main Authors: Kannelønning, Kristian, Katsikas, Sokratis K.
• Format: Journal Article
• Language: English
• Published: Bingley Emerald Publishing Limited 30.10.2023; Emerald Group Publishing Limited
• Subjects: Best practice; Compliance; Critical infrastructure; Cybercrime; Cybersecurity; Digital Object Identifier; Employees; Keywords; Knowledge; Literature reviews; Motivation; Security management; Self assessment; Systematic review; Theory of planned behavior; Human behavior; Cybersecurity; Assessment process
• ISSN: 2056-4961; 2056-4961; 2056-497X
• DOI: 10.1108/ICS-08-2022-0139

Purpose Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this increased awareness, humans are still considered the weakest link in the defense against an unknown attacker. Whatever the reason, naïve-, unintentional- or intentional behavior of a member of an organization, the result of an incident can have a considerable impact. A security policy with guidelines for best practices and rules should guide the behavior of the organization’s members. However, this is often not the case. This paper aims to provide answers to how cybersecurity-related behavior is assessed. Design/methodology/approach Research questions were formulated, and a systematic literature review (SLR) was performed by following the recommendations of the Preferred Reporting Items for Systematic Reviews and Meta-Analyses statement. The SLR initially identified 2,153 articles, and the paper reviews and reports on 26 articles. Findings The assessment of cybersecurity-related behavior can be classified into three components, namely, data collection, measurement scale and analysis. The findings show that subjective measurements from self-assessment questionnaires are the most frequently used method. Measurement scales are often composed based on existing literature and adapted by the researchers. Partial least square analysis is the most frequently used analysis technique. Even though useful insight and noteworthy findings regarding possible differences between manager and employee behavior have appeared in some publications, conclusive answers to whether such differences exist cannot be drawn. Research limitations/implications Research gaps have been identified, that indicate areas of interest for future work. These include the development and employment of methods for reducing subjectivity in the assessment of cybersecurity-related behavior. Originality/value To the best of the authors’ knowledge, this is the first SLR on how cybersecurity-related behavior can be assessed. The SLR analyzes relevant publications and identifies current practices as well as their shortcomings, and outlines gaps that future research may bridge.